Microsoft warns of new “Payroll Pirate” scam stealing employees’ direct deposits

Microsoft has issued a warning about an ongoing phishing campaign known as “Payroll Pirate,” which targets employees’ payroll accounts and redirects their salaries to bank accounts controlled by attackers.

The scam begins with phishing emails designed to steal login credentials for Workday and other cloud-based HR systems. Once victims enter their usernames and passwords on a spoofed login page, the attackers capture these details in real time — including multi-factor authentication (MFA) codes — using an adversary-in-the-middle (AitM) setup that intercepts communication between the user and the legitimate site.

Armed with the stolen credentials, the criminals gain full access to employees’ HR profiles and alter payroll or direct-deposit settings, diverting paychecks to their own bank accounts.

Microsoft notes that this scheme highlights a growing problem with phishable MFA methods such as SMS or app-based codes. The company advises organizations to adopt FIDO2-compliant hardware security keys or passwordless authentication, which are resistant to AitM attacks and significantly reduce the risk of payroll diversion fraud.