Attackers Redirected Employee Paychecks Without Breaching a Single System

A seemingly simple phone call became the gateway to a sophisticated attack that diverted employee paychecks without any malware or network breach. An organization discovered this fraud when workers reported missing salary deposits. The attacker had modified direct-deposit information to funnel payments into accounts under their control.

The attacker impersonated employees and contacted multiple help desk teams across payroll, IT, and HR departments. By gathering publicly available information from social media platforms, the attacker collected enough personal details to answer verification questions. They then convinced help desk staff to reset passwords and re-enroll multi-factor authentication devices.

Palo Alto Networks analysts identified the attack’s persistence mechanism as particularly concerning. The threat actor registered an external email address as an authentication method within the organization’s Azure Active Directory environment. This step demonstrated clear intent to maintain access beyond the immediate payroll theft. The attacker systematically compromised multiple employee accounts to access sensitive payroll data.

The fraudulent activity went undetected for weeks because the legitimate credentials and valid multi-factor authentication made the transactions appear normal. Help desk operations represent one of the most overlooked security weak points in modern organizations. Password resets and MFA re-enrollment procedures, when not properly secured, become high-impact vulnerabilities.

To read the complete article see: Cyber Security News