Case Study — Multi-University Campaign

Payroll Pirates hit
25 universities at once.

A Microsoft-tracked threat group phished 6,000 employee accounts across 25 universities, changed Workday direct deposit details, and created inbox rules to auto-delete the evidence. Employees discovered it on payday. The suss. API stops this at three separate layers.

Storm-2657 compromised 11 accounts at 3 universities first, then scaled the template to 25 more. One phishing kit, shared HR platforms, and delayed detection. Here is where the engine breaks the chain.

All case studies
What happened
  1. 01
    6,000 phishing emails sent
    Microsoft-tracked threat group Storm-2657, known as Payroll Pirates, sent targeted phishing emails impersonating Workday and university HR portals to employees at 25 universities.
  2. 02
    11 accounts compromised, payroll redirected
    Attackers gained access to 11 employee accounts across 3 universities. They changed direct deposit details and created inbox rules to auto-delete notification emails.
  3. 03
    Inbox rules hid the evidence
    Attackers created inbox rules to auto-delete direct deposit confirmation emails, so victims would not notice the change until payday. Days or weeks later.
SourceMicrosoft Security Blog
What it cost
25
Universities targeted
6,000
Phishing emails sent
$4.4M
Median ransomware recovery cost in education
What suss. would have surfaced

A signed record, before the wire.

suss. interaction recordFlagged
Payroll Redirect Phishing Detected

This is the kind of message your people see, before they act on it. Plain guidance, not a number.

  • Do not click any verification links in this email.
  • Navigate to your HR portal directly via your browser bookmark or institutional portal.
  • Report this email to your IT security team immediately.
  • Check your inbox rules for auto-delete patterns targeting HR notifications.
  • Log in to your HR portal and verify your direct deposit details have not changed.
signed9c2f…e7a1· queryable record
Why this keeps happening

Why this campaign scaled so fast.

Shared HR platforms
Most universities use the same small set of HR platforms. One phishing template works across dozens of institutions.
Large employee base
Thousands of faculty, staff, and student workers all have payroll accounts. A massive attack surface for credential phishing.
Decentralized IT awareness
Faculty and researchers prioritize their work, not email security. Phishing training varies wildly across departments.
Delayed detection
Inbox rule manipulation hides the evidence. Victims do not notice until payday, giving attackers days or weeks of undetected access.
The divergence
Without suss.
  1. Phishing email lands in employee inbox.
  2. Employee clicks the verification link.
  3. Fake login page captures credentials.
  4. Attacker changes direct deposit details.
  5. Inbox rule hides the confirmation email.
  6. Discovered at payday. Paycheck already stolen.
With suss.
  1. Email scanner flags phishing in Gmail and Outlook.
  2. Warning badge appears before the employee clicks.
  3. If clicked, suss. flags the fake HR domain.
  4. Form guard blocks credential submission.
  5. Employee reports to IT. Entire campaign blocked.
  6. Zero compromised accounts. Zero stolen paychecks.

Want this catching the next one before it ships?

This is a documented incident with a public source. The next one is in someone's inbox right now. suss. is what catches it.

Read more case studies