Skip to content
Case Study

“Payroll Pirates” hit
25 universities at once.

A Microsoft-tracked threat group phished 6,000 accounts to redirect Workday payroll. suss. would have caught it at three separate layers.

Storm-2657 compromised 11 accounts at 3 universities, then scaled to 25 institutions. Here's how suss. stops every phase of the attack.

What happened

6,000 phishing emails sent
Microsoft-tracked threat group Storm-2657 (“Payroll Pirates”) sent targeted phishing emails impersonating Workday and university HR portals to employees at 25 universities.
11 accounts compromised, payroll redirected
Attackers gained access to 11 employee accounts across 3 universities. They changed Workday direct deposit details and created inbox rules to auto-delete Workday notification emails.
Inbox rules hid the evidence
Attackers created inbox rules to auto-delete Workday direct deposit confirmation emails, so victims wouldn't notice the change until payday — days or weeks later.

Source: Microsoft Security Blog

How suss. would have caught it

We ran a reconstructed version of the phishing email through our API. Here's what fired — and three layers of defense that would have stopped it.

69%
High Risk
Payroll Redirect Phishing Detected

Three layers of defense

1Email Scanner

Detects the phishing email itself — urgency language, fake verification links, sender domain impersonation.

2Page Analyzer

If someone clicks the link, the page analyzer detects the fake Workday login page — domain reputation, form structure, credential harvesting patterns.

3Form Guard

Even if the page looks convincing, form guard blocks credential submission on unregistered domains — the last line of defense.

4 threat indicators fired

85%
Financial aid / payroll phishing attempt
financial_aid_phishing
80%
Urgent account verification request
account_verification_urgent
75%
Payroll direct deposit redirect attempt
payroll_redirect_fraud
70%
Credential harvesting via fake login page
credential_harvesting

Recommended actions

  1. 1DO NOT click any verification links in this email
  2. 2Navigate to Workday directly via your browser bookmark or institutional portal
  3. 3Report this email to your IT security team immediately
  4. 4Check your inbox rules for auto-delete patterns targeting Workday notifications
  5. 5Log in to Workday and verify your direct deposit details have not changed

The cost of no protection

25
Universities targeted
6,000
Phishing emails sent
$4.4M
Median ransomware recovery cost (education)

Why universities are prime targets

Shared HR platforms
Most universities use Workday, Banner, or PeopleSoft. One phishing template works across dozens of institutions.
Large employee base
Thousands of faculty, staff, and student workers all have payroll accounts — a massive attack surface for credential phishing.
Decentralized IT awareness
Faculty and researchers prioritize their work, not email security. Phishing training varies wildly across departments.
Delayed detection
Inbox rule manipulation hides evidence. Victims don't notice until payday — giving attackers days or weeks of undetected access.

Multi-layer phishing defense

Email Phishing Detection

Identifies phishing emails targeting payroll, HR, and financial aid systems. Detects urgency language, fake verification links, and sender impersonation.

Credential Harvesting

Recognizes fake login pages for Workday, Banner, and other university platforms. Blocks credential submission on unregistered domains.

Payroll & Direct Deposit Fraud

Flags suspicious payroll redirect requests, direct deposit changes initiated through phishing, and unauthorized inbox rule creation.

Account Takeover Prevention

Detects compromised account behavior patterns including bulk phishing from internal addresses and suspicious rule manipulation.

With suss. vs. without

Without suss.

  • Phishing email lands in employee inbox
  • Employee clicks 'Verify Workday Account' link
  • Fake login page captures credentials
  • Attacker changes direct deposit details
  • Inbox rule hides Workday confirmation email
  • Discovered at payday — paycheck already stolen

With suss.

  • Email scanner flags phishing in Gmail/Outlook
  • Warning badge appears before employee clicks
  • If clicked, page analyzer detects fake Workday domain
  • Form guard blocks credential submission
  • Employee reports to IT — entire campaign blocked
  • Zero compromised accounts, zero stolen paychecks

How the pilot works

1
Deploy via Chrome Enterprise
Push the suss. extension to all campus Chrome browsers via managed policy. No individual installs needed — IT controls the rollout.
2
Ambient protection activates
The extension silently scans every email, page, and form. No training required — it works in the background on day one.
3
Threats intercepted in real-time
Phishing emails get warning badges. Fake login pages get blocked. Credential harvesting forms are intercepted before submission.
4
Campus dashboard shows everything
IT security gets a dedicated dashboard showing threat volume, attack types, and which departments are being targeted most.

Start a free 30-day pilot

Deploy via Chrome Enterprise in minutes. Three layers of defense against payroll phishing — email, page, and form — with zero training required.

Request pilot accessView enterprise plans

If Storm-2657 targeted 25 universities, yours could be next.

Free for qualified universities and government institutions

524
Scam signals
3
Defense layers
94.5%
Precision
93.2%
Recall
FERPA CompliantNo student PII stored
SOC 2 Type IIIn progress
US-HostedGoogle Cloud, us-central1
AARP AgeTechCollaborative member
Chrome Web StoreVerified publisher

made by humans who've been scammed.

© 2026 suss. AI, Inc.