Post by Mitiga

Name: Storm-2657 phished HR staff, logged into Microsoft 365, rode SSO into Workday, and changed employee
Uploaded: 2026-06-10T15:57:05.479Z
Channel: Mitiga
Description: Storm-2657 phished HR staff, logged into Microsoft 365, rode SSO into Workday, and changed employee direct deposit accounts. The money left on payday. Microsoft tracked phishing reaching nearly 6,000

12,864 followers

Storm-2657 phished HR staff, logged into Microsoft 365, rode SSO into Workday, and changed employee direct deposit accounts. The money left on payday. Microsoft tracked phishing reaching nearly 6,000 accounts across 25 US universities. The inbox rules make the whole thing work. Workday emails you when your bank details change, so the attackers set rules that keep those notifications from ever being seen. In the new Mitiga Minute, Idan Cohen joins Brian Contos to break down the campaign, then opens the platform on a real example we have seen in the field: → The M365-to-Workday pivot, including the external inbox forwarding rule, correlated in one incident view → Four bank account transfer configurations created in 12 minutes, flagged critical by AI Insights Idan recommends that if you run Workday, ingest every log you can and build detections on it, hunt proactively on a schedule, route security notifications to a mailbox a compromised account can't reach, and disable legacy auth. If someone changed a direct deposit account in your Workday tenant this morning, where would that log surface — and who would see it before payday?

Video Content