Photo by Samsung Memory on Unsplash
Imagine logging into your bank account on payday only to find… nothing. Your paycheck didn’t land. It wasn’t a delayed transfer. It was stolen. And you never saw it coming.
Microsoft is warning about a phishing threat that’s quietly rerouting employee paychecks—and it’s already made its way into at least 25 U.S. universities. The threat has a name: Payroll Pirate. And unlike the treasure-hunting caricatures from movies, these pirates operate entirely online.
Let’s break down what’s happening—and why you should care.
What’s the “Payroll Pirate” Scam?
Photo by Laura Chouette on Unsplash
This attack starts with a fake email. It might say you’ve been exposed to a disease on campus, or that your health benefits have changed. Either way, it’s crafted to grab your attention—and get you to click.
That click takes you to a fake login page. It looks like it belongs to your company or school’s HR system—something like Workday. Once you enter your login credentials, the attackers are in.
Here’s where it gets sneakier.
Even if you’ve set up multi-factor authentication (MFA) with one-time codes or text messages, they can still get through using what’s called an “adversary-in-the-middle” technique. Basically, the scammers create a fake version of the login site that acts like a middleman. You type in your password and MFA code. They take those and use them immediately on the real site.
Once they gain full access to your account, they change where your paycheck gets deposited—redirecting it to a bank account they control.
And just to make sure you don’t notice, they go one step further: they update your email filters to quietly hide any alerts from Workday about the change. So your pay disappears without a trace or warning.
Who’s Been Targeted So Far?
Since March 2025, Microsoft has tracked 11 compromised accounts across three universities. Those accounts were then used to send phishing emails to nearly 6,000 inboxes across 25 different universities.
That’s a lot of potential victims—and that’s just from what’s been observed so far.
Why Traditional MFA Isn’t Enough
Photo by Kedibone Isaac Makhumisane on Unsplash
If you’re thinking, “But I set up MFA, shouldn’t I be good?”—that’s exactly the problem.
The kind of MFA most people use (codes sent by text, push notifications, or temporary email links) can be intercepted with these advanced phishing tools.
It’s a scary reminder that not all MFA is created equal.
The stronger, much more secure alternative? FIDO-compliant MFA methods. These include:
- Passkeys
- Physical security keys
- Device-based authentication that uses biometrics
According to Microsoft, there haven’t been any known cases where scammers were able to bypass FIDO-based MFA using these phishing techniques.
What You Can Do Right Now
Here are a few steps to help guard your account—and your paycheck.
- Use FIDO-compliant MFA if your organization supports it.
- Be skeptical of any email that urges rapid action—especially on health risks or benefits updates.
- Double-check the sender and the URL before you enter any login info.
- Periodically review your email rules or filters in Outlook or Gmail. Look for any that might block up alerts from Workday or HR systems.
- If something seems suspicious, report it before clicking.
The Bottom Line
Photo by Privecstasy on Unsplash
These attacks are sophisticated, and they’re getting more common. Even people who’ve done “everything right”—like setting up MFA—are still getting caught.
The key takeaway? It might be time to move beyond traditional login setups and look into stronger protections like passkeys or physical security tokens.
Stay cautious, verify before you click, and check those inbox filters.
Your next paycheck might depend on it.
Keywords: Payroll Pirate, phishing threat, Microsoft warning, MFA security, paycheck protection, online security.
