Ahoy! A Tale of Payroll Pirates Who Target Universities

Sherrod DeGrippo: Welcome to the Microsoft Threat Intelligence Podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week, dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. But don't worry, I'm your guide to the back alleys of the threat landscape. Hello, and welcome to the Microsoft Threat Intelligence Podcast. I am Sherrod DeGrippo, Director of Threat Intelligence Strategy here at Microsoft. Today, we're talking about two kinds of financially-motivated threat. We'll talk about Payroll Pirates, who are siphoning salaries from universities via SaaS HR platforms, and then we'll talk about threat actor group Vanilla Tempest. They are using fraudulently signed Teams installers to drop Oyster and then eventually Recita ransomware. These are two different tactics, but they have the same kind of thesis, which is attackers weaponizing trust in identity and code to eventually get what they want. Joining me today are two security researchers who work with me here at Microsoft, Tori Murphy, Security Researcher, and Anna Seitz, Security Researcher. Tori and Anna, thank you for joining me. >> Thank you for having us. >> Thank you. Glad to be here. It's so great to talk to you both again. Let's start with this Payroll Pirates blog. This talks about the threat actor group, Storm 2657. Tori, for the listeners out there that don't know what a storm group is, because you kind of give us the update on what storm means?

Tori Murphy: Yeah, sure. So storm groups are created to track either threat actors or clusters of activity. In this situation, this threat actor was behind the Payroll Pirate scheme. And yeah, they definitely financially motivated with this one.

Sherrod DeGrippo: So essentially like a storm group is when we don't have a full attribution of motivation, country, all of those kinds of things. We don't have the confidence level that we want. And so eventually this Storm 2657 group will probably become a tempest at some point.

Tori Murphy: Yep.

Sherrod DeGrippo: For those of you out there, one day we will have, I'm determined to have, a full episode of this podcast about threat actor naming and having everyone just fight. But typically Tempest is financially motivated, so we'll maybe see this threat actor group upgraded someday. This group targets university users with phish. And Tori, kind of walk us through what that attack chain looks like. I know they use some adversary in the middle, they steal MFA. What does that attack chain look like?

Tori Murphy: Yeah, so it's starting with the phishing email. This person is using compromised email accounts from universities and they are sending the phish in the mail using pretty sophisticated subject matter. I think one was COVID related, one was HR related. Pretty well detailed emails. And the user's clicking the link in the email. I think some of them were Google Docs. Which if you've ever went to a college campus, Google Docs is like most of what you're doing, working on projects. And yeah, so you're clicking that link during that time, adversary in the middle is happening. So the credentials are being stolen and then the baddie is taking that information and they're hacking into the Workday portals and changing -- I don't want to miss this big part, is after they get in, they are deleting any incoming emails to that user up from Workday. So Workday might be sending notifications like, user, your login was someone signed in, was it you? They're not getting any of that information. And then that person is going into the portal and changing the bank information to their bank account and taking those salary payments.

Sherrod DeGrippo: My dream. Oh, someday. So just kidding, I would never. But whenever -- I work a lot with financially motivated threat actors, that's one of my favorite parts of the landscape, and I just see how much money is in it. And it's staggering, right? The potential to essentially get somebody's paycheck or get some kind of direct deposit to you instead of to them. Sounds like a nice life. It's criminal. You go to prison. But it does sound like a nice way to live. So we've seen here, Sherrod wants to do -- I don't actually want to do crime, I just want a lot of money. It's totally a different thing. I want it all via legal means, which is -- I'll protect people for money. I'll do security for money. So we've seen at least 11 compromised accounts used to send around 6,000 phish messages campaign in the campaign. And then this is across 25 different university targets. Which I think is really interesting because they've really made some choices if you're doing that to 25 specific universities. So this threat actor is thinking about it. I also want to be clear very quickly, this is not a vulnerability in Workday. This is an identity issue that is not about whatever SaaS platform is being leveraged here. It is really about that identity aspect. Tori, tell us a little bit about from the targeting perspective, what is attractive about universities as a target that this threat actor is thinking about?

Tori Murphy: Good question. I have an example. So my first, I got my undergrad in. When I read all this, I thought about my college's janky portal system and how there's so many universities, but I feel like the big ones, Yale, Harvard, probably have really good policies in place on security, IT. And then I think about my undergrad school, which I won't name drop, loved it, but it just wasn't there. So I wonder if this person almost had a background, maybe they were a college student themselves, maybe they even worked for a college. But there is something that they're targeting a place where there's so many campuses, the spectrum of getting in is probably, well, rewarding as they know now. So I feel like since it's working, they're just off to the races.

Sherrod DeGrippo: I think too, universities and academia are a really unique space for a variety of reasons. They have a lot of identity sprawl. So there are a lot of users who have their.edu, but then also have their personal email or might have a professional or a work identity. And a threat actor can really do some damage if they're able to pivot through all of those different identities. There's also a lot of bring-your-own device. I mean, the whole thing is really bring-your-own device, especially when we're talking about staff that's maybe not permanent or students or some kind of auxiliary faculty, things like that. Those have a lot of seasonal staff. People are moving in and moving out all the time. And then, of course, it is a normalized reality, as you said, for this population to click on links. I mean, they're sending docs around, they're getting things done through email and stuff like that. So I think university is a target that a lot of threat actors find particularly attractive for certain types of threat. So Tori, let's talk about where the control issues are here in terms of what organizations need to do. For me, the first one is like this weak MFA part. It's not phish-resistant MFA.

Tori Murphy: Yeah.

Sherrod DeGrippo: What other kinds of things can organizations do to maybe protect themselves from this particular threat?

Tori Murphy: In a perfect world during syllabus week, I wish like there was an extra paper at the end telling students about protecting themselves. But all campuses should be -- I would love campuses to know that this is happening, to understand what they need to do in order to protect students and staff. I'm sure certain campuses are already on top of this. But I do wonder what events transpired after these campuses were targeted. I also think it's working off of weaknesses. I think college students, staff probably too, are super stressed out. I was even saying, Anna, you know, how many students are hungover, checking their email. One of the subjects was classroom misconduct report. Things where, oh no, what did I do? And you're clicking. And I can just see people falling victim because it's preying off their stress factors and whatnot.

Sherrod DeGrippo: There's a big aspect of it for that. I also saw some of the themes where things like "illness exposure" is scary when you're in a school or university setting. And then things like HR updates. Which that strikes so much fear into somebody when they see that pop up on their email, that there's HR updates, that can always be scary. In 2025, we live in a time that can be deeply concerning when it comes to stuff like that. And so I think this is something that goes back to that three-pronged tenet of social engineering, which is urgency, emotion, and habit. If they are playing on those things, they are social engineering you. Now, the person or group social engineering you may be doing it in order to get you to purchase something from their online store, perfectly legit. It's a tactic used by legitimate marketing teams all the time to sell you things that are great to buy. But when it's used for malicious purposes, it's really effective. If they can get you in an emotional state, hurrying in an emotional state, doing something that you always do, that's all it takes.

Tori Murphy: Yeah, and I think only 10% of the students that were phished reported it. Which good for you 10%, but, you know, would love if that number was, I don't know, maybe 50 or 60, 100 would be great, but 10% is pretty low.

Sherrod DeGrippo: I think that's something we should mention too. I know that we have a lot of security practitioners that listen to the podcast, not necessarily tons of run-of-the-mill end users. Which is, that's what this podcast is for. Just FYI, we really are here for practitioners. I'll get into that later. But I really want practitioners to encourage their user populations to click "report phish." It does make a difference in detection efficacy. The more telemetry that can come back, it creates almost a crowdsourcing of what things to be worried about. And then our defender detection engineers can look at those things and see trends very quickly. You could be a first reporter. Think about that, you might be the first person. It's always one. There is always somebody who is the first to receive the email from a campaign. Even though they're blasting out hundreds, thousands, 10s, 20s, thousands and thousands of emails, there's always somebody who's first. And the earlier that you can send that telemetry back and report that phish to your organization, the better efficacy will be in blocking these things to begin with.

Tori Murphy: One hundred percent.

Sherrod DeGrippo: So I think that there's a lot of things here that are interesting in terms of the way that the threat actor is proceeding through this campaign. It really is, in a lot of ways, business email compromise put in this SaaS HR framework. Again, this is not a vulnerability. There's not a zero-day. It's a gap in the way identity is working, and it's a gap in notification. It's a notification blind spot. And I think that the threat actor, Tori, correct me if I'm wrong, the threat actor was going in and making inbox rules.

Tori Murphy: Yes.

Sherrod DeGrippo: And so give us an idea of why a threat actor might do that and what that helps them achieve.

Tori Murphy: So it's kind of like having the cleanest crime scene, right? You're going to go out there, you're going to do the bad stuff in the background. And knowing that you're not letting the victim know you're doing the bad stuff by blocking the incoming email, it's smart, I mean. So they're making sure that any Workday notifications are not being sent to the user.

Sherrod DeGrippo: Yeah, it's smart. And this is something that we've been seeing for years. This is not a new technique. Threat actors have been putting inbox rules in when they compromise an identity for years. If you think about being stealthy, if you think about hiding your tracks, it's the right thing to do. Operationally, anything that's like delete Workday notifications, is under-detected in most organizations. You have to join first party, so exchange notifications, with third party, so your Workday notifications, you have to join that telemetry together or this will stay invisible and you will never know that it's happening. I also think -- Tori, let's talk about the direct deposit change. First, everyone should go in and change their direct deposit to go to me and I will manage your funds. I don't know why I'm so money-focused today. I guess it's because it's a crime episode. So I'm like, hmm. So let's talk about friction around making changes to direct deposit and banking changes. So should we accept a little friction? Something like an out-of-band challenge or notification for money movement? What do you think about adding a little bit of inconvenience there?

Tori Murphy: think we're stepping into a world where inconvenience is the way to go. I mean, my first thought was -- and I mean, I'm sure the FBI is probably on -- I just feel like there's so much evidence left behind, as much as this person cleaned up after themselves. I feel like the direct deposit, I'm sure they changed to maybe some crypto account. But yeah, I think -- and this is where I'm sure when these changes were made, the notifications were ripping to that email. But that's where I feel like MFA, a notification on the user's phone, not just going for the email. I think email -- I just feel like having the phone, having that's you, this is the device saying, this is happening, can you tell us that this is you, definitely should be in all these third-party software as a service. But I digress.

Sherrod DeGrippo: Yeah, I feel like banks are really good for the most part. Financial institutions are really good about notifying their users when there's movement of money or changes in direct deposit. They have really good controls for their consumers around this. It might be time for universities to put that same kind of control mechanism around when banking and financial changes are made within those systems. Because for a lot of students and employees, the university in many ways is like a currency transportation vector. Like they're sending money to the university, they're getting money back from the university, they're paying things to the university, they're using it as a bookstore card, a cafe card, all these different things, and you have your account at the university. I think it might be time for universities to adopt a little bit more of the sort of banking and financial industry capabilities. Which, if we're picking favorites, I will say that the financial industry outside of government tends to have the best security in my experience.

Tori Murphy: Yeah, I agree.

Sherrod DeGrippo: And I will also say that the worst is retail. There you go, that's my hot take.

Tori Murphy: Yeah.

Sherrod DeGrippo: Financial is doing the best, retail is doing the worst. That's just what I -- hey, I call them like I see them, people. No, I think retail really has a long way to go, but they have special constraints around them, which is things like registers can't go down. People have to be able to transact. They prioritize different things than financial. But you know, they could do, they could do a little better. What else do we need to know about Payroll Pirates or anything that organizations should think about when talking about this threat? Like for me, I really think looking at detections around new inbox rules being created, that's something that organizations really need to push. And then if you want to take that security to the next level within Workday, anytime payment elections are being changed, managed, etcetera, there needs to be an alert sent for that kind of stuff as well. Users are not going to be constantly changing their payments, their payment elections and their direct deposit. That's something that doesn't happen that often. It's not going to be an overwhelming amount of alerts. I don't think it will contribute significantly to alert fatigue, particularly if it's joined with that new inbox rule, creation, notification. Those two things together are big indicators. If you're seeing salaries get diverted, you're going to have a lot of pain. This is not something that an organization is going to be able to manage easily or quickly. So stopping it from happening in the first place will make everyone's lives easier from security to IT to your customer service and support groups. So that's the Payroll Pirates threat. There is a Microsoft Threat Intelligence blog about this that you can go check out. This is after Storm 2657. If you are in the Microsoft Defender portal, you're welcome to go look up this threat actor. You'll see all the TTPs and various guidance. But if you're not in that portal, the blog also has a ton of information, as well as hunting guidance and lots of different things to look for, as well as things you can do to increase your security against this particular threat. So let's talk now about another financially motivated threat actor, Vanilla Tempest, also sometimes referred to in the world as "Vice Spider" or "Vice Society." I prefer Vanilla Tempest. I think it's more descriptive and just generally better. Anna, what do we need to know about Vanilla Tempest?

Anna Seitz: Yes, so Vanilla Tempest has been active on the threat landscape again. I believe we've actually talked about this financially motivated group before on the podcast, so it's interesting to see them keep popping back up. Basically, back in September, Vanilla Tempest carried out a widespread attack that leveraged fake Microsoft Teams installation setups for initial access.

Sherrod DeGrippo: So Vanilla Tempest pushes out something called "MSTeamsSetup.exe." And they're doing this, it looks like primarily via SEO poisoning, which we have talked about before. SEO poisoning is an interesting tactic. They're using it to deliver Oyster Backdoor, which is signed with a fake or fraudulently obtained certificate and then they deploy Recita ransomware. First, I want to start by answering the question that everyone is asking. Microsoft did revoke 200 certs that were bad. Defender flags this loader, Defender flags Oyster, Defender flags Recita. But it's interesting that they're using SEO poisoning as the delivery mechanism for this. And we've seen SEO poisoning before, particularly from financially motivated threat actor groups. It's kind of one of the exclusive TTPs that we see out of financial. Most nation-sponsored threat groups are not doing SEO poisoning. What do we think about how Vanilla Tempest is using this?

Anna Seitz: Yeah, so in SEO poisoning, obviously users who are searching for terms with the goal of reaching a legitimate software download might receive an advertisement for a fraudulent site that masquerades as the legitimate resource. That's basically SEO in a nutshell. This is a newer tactic that Vanilla Tempest has been using. This has been a pivot away from some of their things. I believe we talked about Ink ransomware and some other tactics in the previous episode of Vanilla Tempest. And so this is kind of a new frontier for them. And in this particular situation, the fake team setups had been hosted on malicious domains that mimics the Microsoft Teams brand. So I think this will be something that we'll continue to see with Vanilla Tempest.

Sherrod DeGrippo: So the attackers are able to engineer, which is what that term SEO means (search engine optimization). They're basically able to engineer what search results come back when you search a certain term or topic. They return then links to the malicious software that they want you to download. So instead of sending something like a phishing email, the attacker is essentially letting you come to them. So you go to your favorite search engine, which is Bing, and you search for Microsoft Teams download. You click the first link, it looks legit. There's a logo, there's a layout, the certificate is valid, but what you're downloading is malware. It's interesting, it's kind of like creating spear phishing for search engines. So Anna, I know that this is an update on a threat actor that we've been watching and talking about for a while. What's going on with them lately?

Anna Seitz: Vanilla Tempest was first observed by Microsoft in 2021. In 2022, we start seeing the group leverage commodity tools and opportunistic ransomware campaigns. And then in 2024, we're starting to see these Gootloader infections that lead to Vanilla Tempest activity. And then it goes into that Ink ransomware that we talked about that was targeting hospitals. And now we're seeing them use Oyster Backdoor to essentially deliver the Recita ransomware. Which in itself has only really been around, it's probably around like 2023 timeframe. So you can see this group is active, they're on their feet and they're changing tactics dramatically over the course of just a few years.

Sherrod DeGrippo: I think that's interesting. And I think it's also interesting that they are registering domains on bulletproof hosting providers, and they're doing self-signed TLS once that cert is revoked. So leveraging code signing abuse, I think, is really interesting. These certs are signed from places like SSL.com, DigiCert, GlobalSign. These are trusted signing authorities, but of course, they're being created by the threat actors. How do we deal with that? The reputation of the publisher is legit. It's the threat actor group that's getting the malicious aspect to this.

Anna Seitz: This one's hard. I mean, this stuff is sophistically designed to make it look like it's the real thing, and it's a really easy way to dupe somebody or accidentally have a victim click on something that's not real. One of the most effective things that people can do against this threat is to use the principle of least privilege in building that credential hygiene. Organizations can also limit the destructive impact of ransomware, even if they do have access to an initial system, by making sure that these pillars of credential hygiene, like making sure your users are educated and they're not clicking on phishing things, double checking verification if they're going to be doing some web browsing. But ultimately, this one is a hard one. This one's difficult.

Sherrod DeGrippo: And I think, too, it's important to look at the role of Oyster. This is a backdoor. It's a classic modular downloader, which allows the threat actor to deliver all of their post-exploitation tooling. So things like Cobalt Strike beacons, remote management and monitoring utilities, terraforming and building what they then will use to potentially deploy the ransomware. So we're looking at the fake installer, followed by things like living off the land, putting in whatever tools they need, and then putting in the command and control beacons. So think about that from the attack chain perspective, what you need to look out for if you're hunting for this. And so this threat actor, Vanilla Tempest, has also used not just Recita, they've also done BlackCat, Quantum, and Zeplin ransomware. This is a classic ransomware threat actor group. Anna, is there anything specific around the targeting or the victims that they're looking at, or is this sort of a opportunistic?

Anna Seitz: I think in this case, this is an opportunistic campaign. This group has been, I would say, proven to target other sectors in the past, like with the Ink ransomware campaigns they were running that was all hospital-based. This one, I think this is opportunistic. And it's primarily, Vanilla Tempest is relying on publicly-disclosed vulnerabilities for that initial access. And they've also used backdoor malware in the past, like System BC, Port Starter, and Stuffer. So I think in some of these cases, they do it all. They're targeting and they're running these opportunistic campaigns based on vulnerabilities.

Sherrod DeGrippo: I think one of the ways that organizations can fight against this is doing things like having only certain software allowed and making sure that you have specific allowed executables and that your user base can't just download these off the internet whenever they want. You need to have this specific executable that's allowed within your environment. Now, that's not going to work necessarily for the consumer side, for individuals. But hopefully within an enterprise environment, you can use something like Intune to restrict and enforce what executables are allowed to be installed. So, Anna, I know that Vanilla Tempest is kind of they're sort of like the classic modern ransomware group of today. What kinds of things in terms of TTPs are we seeing from Vanilla Tempest compared to the rest of the landscape?

Anna Seitz: I would say this group is very consistent in their TTPs with the rest of the threat landscape as far as financially-motivated cyber criminals go. We're still seeing them use PowerShell scripts, repurpose legitimate tools, and that's a common TTP that we see among other ransomware threat actors.

Sherrod DeGrippo: Okay, I think that these two examples of Vanilla Tempest and the Payroll Pirates example really show that threat actors are working on the technical mechanisms that we use for security, signed certificates and MFA, as well as living through things like SaaS platforms that have a kind of inherent trust, not just from humans trusting the brands, trusting the logos, but come with trust assigned to them by the technical mechanisms and connections between different systems from different vendors and providers. We have to make sure that we're using phish-resistant MFA and that our constituent users have an ability to really trust the MFA systems that we are giving to them. Phish-resistant MFA must be the future. It's going to be the thing that really makes the difference between what these threat actors can and can't do. So a couple of things I should recommend to our listeners who are in enterprise security roles, move anything HR or payroll related to phish-resistant MFA, passkeys, or FIDO. Block legacy MFA for these really important apps. You just can't afford to have to deal with those kinds of incidents. Think about putting in rules that combine detection for new inbox rule created or anything having to do with Workday or other applications that are relevant to money changing hands, bank account changes, etcetera. Also, think about some kind of out-of-band confirmation or at least notification for anything that has to do with bank account changes. Anything where someone can change where money is sent to or from, that's warranted adding a little bit of extra friction. It's not going to kill someone to verify that they've changed their bank account. They don't do it that often. And then finally, only allow installers from your company portal. You should not be letting everyone install everything everywhere all at once. Make sure that you have some controls around that. And think about first seen signers as restricted. Those are some pretty easy things to do. They're outlined in the blog as well as in our Show Notes here. So please do get on shoring up your security if you're in one of those roles. If you're not, go bother your InfoSec team and ask them if you're safe. Tori, Anna, thank you so much for joining me on the Microsoft Threat Intelligence Podcast. It was great talking to you about what's going on in the landscape today. >> Thanks, Sherrod. >> Thank you. Thanks for listening to the Microsoft Threat Intelligence Podcast. We'd love to hear from you. Email us with your ideas at tipodcast @microsoft.com. Every episode, we'll decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out, msthreatintel podcast.com for more and subscribe on your favorite podcast app.