PAYCHECK HIJACK: Attackers Are Stealing Salaries and Payroll Data Across Higher Education Institutions    

Part 1: The Executive Briefing — The Crisis of Payroll Diversion in Academia

A new report from the Microsoft Threat Intelligence Center has highlighted a massive surge in **payroll diversion attacks** specifically targeting the **Higher Education sector**. These are not technical exploits, but highly effective social engineering campaigns that result in the direct theft of faculty and staff salaries. For university Presidents, CISOs, and HR leaders, this is a critical threat that strikes at the heart of your institution's most valuable asset: its people.

Part 2: Technical Deep Dive — The Academic-Themed Phishing and ATO Lifecycle

Why Higher Education is a Prime Target

Universities are a perfect target for these attacks because they often have a large, decentralized, and transient user base, a culture of open collaboration, and security teams that are under-resourced compared to their corporate counterparts.

The Kill Chain

1. **Initial Access:** The attack begins with a highly convincing spear-phishing email targeting a professor. The lure is academic-themed: a "Call for Papers," a "Grant Application Update," or an invitation to a prestigious conference. The link leads to a perfect clone of the university's single sign-on (SSO) portal.
2. **Account Takeover (ATO):** The attacker steals the professor's credentials and, using **Adversary-in-the-Middle (AiTM)** techniques, bypasses their weak, push-based MFA to hijack their authenticated session.
3. **Internal Impersonation:** The attacker, now in control of the professor's trusted email account, sends a simple email to the university's central HR or Payroll department.
4. **The Fraud:** The email requests a change to the professor's direct deposit information. The payroll department, trusting the internal email, makes the change, and the professor's next paycheck is stolen.

Part 3: The Defender's Playbook — A Guide for HR/Payroll, IT/Security, and All Faculty

For HR & Payroll Teams: The #1 Defense

The single most important defense is a non-negotiable process of **out-of-band verification**. Any request to change sensitive financial information received via email MUST be verified through a different channel, such as a direct phone call to the employee's known number in the HR system.

For IT & Security Teams:

• **Mandate Phishing-Resistant MFA:** This is the ultimate technical control. As detailed in our **Ultimate Guide to MFA**, you must move all users to FIDO2/WebAuthn hardware security keys.
• **Hunt for ATOs:** Proactively hunt for the signs of a compromised account in your Google Workspace or Microsoft 365 logs.

Part 4: The Strategic Takeaway — The Need for Enterprise-Grade Security in Academia

For university leaders, this campaign is a wake-up call. Your institution is not just a place of learning; it is a massive enterprise with enterprise-level risk. The traditional, open culture of academia can no longer be an excuse for a weak security posture. A **Zero Trust** mindset must be adopted, where no user or communication is trusted by default. This is a business process problem, not just a technology problem, and it requires a partnership between the CISO, the CHRO, and the CFO to build a truly resilient **Human Firewall**.