85%
Financial aid and payroll phishing attempt
financial_aid_phishing
Case Study — Multi-University Campaign
Payroll Pirates hit
25 universities at once.
A Microsoft-tracked threat group phished 6,000 employee accounts across 25 universities, changed Workday direct deposit details, and created inbox rules to auto-delete the evidence. Employees discovered it on payday. The suss. API stops this at three separate layers.
Storm-2657 compromised 11 accounts at 3 universities first, then scaled the template to 25 more. One phishing kit, shared HR platforms, and delayed detection. Here is where the engine breaks the chain.
What happened
The attack.
01
6,000 phishing emails sent
Microsoft-tracked threat group Storm-2657, known as Payroll Pirates, sent targeted phishing emails impersonating Workday and university HR portals to employees at 25 universities.
02
11 accounts compromised, payroll redirected
Attackers gained access to 11 employee accounts across 3 universities. They changed direct deposit details and created inbox rules to auto-delete notification emails.
03
Inbox rules hid the evidence
Attackers created inbox rules to auto-delete direct deposit confirmation emails, so victims would not notice the change until payday. Days or weeks later.
Source: Microsoft Security Blog
Detection
What suss.
would have seen.
We ran a reconstructed version of this attack through the production API. Here's what fired.
suss. verdict
69%
HIGH RISK
Payroll Redirect Phishing Detected
4 threat indicators fired
80%
Urgent account verification request
account_verification_urgent
75%
Payroll direct deposit redirect attempt
payroll_redirect_fraud
70%
Credential harvesting via fake login page
credential_harvesting
Recommended actions
- 01Do not click any verification links in this email.
- 02Navigate to your HR portal directly via your browser bookmark or institutional portal.
- 03Report this email to your IT security team immediately.
- 04Check your inbox rules for auto-delete patterns targeting HR notifications.
- 05Log in to your HR portal and verify your direct deposit details have not changed.
Impact
The cost.
25
Universities targeted
6,000
Phishing emails sent
$4.4M
Median ransomware recovery cost in education
Pattern
Why this campaign scaled so fast.
01
Shared HR platforms
Most universities use the same small set of HR platforms. One phishing template works across dozens of institutions.
02
Large employee base
Thousands of faculty, staff, and student workers all have payroll accounts. A massive attack surface for credential phishing.
03
Decentralized IT awareness
Faculty and researchers prioritize their work, not email security. Phishing training varies wildly across departments.
04
Delayed detection
Inbox rule manipulation hides the evidence. Victims do not notice until payday, giving attackers days or weeks of undetected access.
With vs without
Two timelines.
Two outcomes.
Without suss.
- 01Phishing email lands in employee inbox.
- 02Employee clicks the verification link.
- 03Fake login page captures credentials.
- 04Attacker changes direct deposit details.
- 05Inbox rule hides the confirmation email.
- 06Discovered at payday. Paycheck already stolen.
With suss.
- 01Email scanner flags phishing in Gmail and Outlook.
- 02Warning badge appears before the employee clicks.
- 03If clicked, page analyzer detects the fake HR domain.
- 04Form guard blocks credential submission.
- 05Employee reports to IT. Entire campaign blocked.
- 06Zero compromised accounts. Zero stolen paychecks.
Get protected
Don't be the
next case study.
Book a 15-minute pilot conversation. We'll show you the threats targeting your institution right now and walk through deployment.
Free 30-day pilot for qualified institutions. No IT integration required.