Anatomy of an Attack: The Payroll Pirates and the Power of Social Engineering

No employee wants their paycheck to go missing. One organization learned about an incident when they started hearing exactly this complaint. It turned out that an attacker had modified direct-deposit details in order to redirect an organization’s paychecks into attacker-controlled accounts.

What happened to this organization started with nothing more than a phone call.

In fact, findings in our 2025 Unit 42 Global Incident Response Report: Social Engineering Edition suggest that 36% of all incidents Unit 42 engaged with began with a social engineering tactic. This includes phishing, vishing, search engine optimization (SEO) poisoning, fake system prompts and help desk manipulation.

In spite of technical protection tools available, attackers find that old-fashioned exploitation attempts still work. Instead of breaching networks, dropping malware or exploiting cloud misconfigurations, some threat actors are bypassing technical controls altogether and going straight for the humans who run them.

The Attack: Social Engineering in Action

The threat actor's initial access was not gained through a technical breach but rather through a social engineering campaign. The attacker impersonated employees to manipulate multiple help desks, including those for payroll, IT and HR shared services. They then tricked the help desk personnel by successfully circumventing the challenge/response authentication into performing password resets and re-enrolling multi-factor authentication (MFA) devices.

Social platforms provide easy access to publicly available information needed for threat actors to bypass help desk authentication. In many cases, attackers even call back multiple times to probe for the types of verification questions being asked, thereby allowing them to gather the necessary data for a successful subsequent attempt. As social platforms continue to expand the amount of personal and professional data available, this reconnaissance has become easier than ever.

In addition, the threat actor tried to establish persistence by registering an external email address as an authentication method for a service account within the client's Azure AD environment. This demonstrates a clear intent for long-term access beyond the immediate payroll diversion.

Once authenticated into the payroll system, the attacker moved quickly. In total, they compromised multiple employee accounts, each one granting access to sensitive payroll information. The attacker then proceeded to modify direct-deposit details for multiple individuals, redirecting their paychecks into bank accounts under the attacker’s control. Because the credentials were valid and MFA appeared legitimate, the activity blended in with normal operations. The incident was discovered only when employees reported missing paychecks. That triggered an internal investigation, which traced suspicious account changes dating back weeks. The organization engaged legal counsel, who referred them to Unit 42 to conduct a full-scope investigation.

How Unit 42 Helped

Once Unit 42 was engaged, we conducted a thorough investigation. Our team performed extensive threat hunting by deploying Cortex XSIAM and correlating telemetry from various sources, including the payroll system, HR system and the client's Next-Generation Firewall (NGFW) logs. This in-depth analysis allowed Unit 42 to confirm the incident and limit its impact. Our investigation confirmed that the incident was limited to the payroll diversion and account compromises, with no evidence of broader lateral movement or data exfiltration from the internal network.

But, unrelated to the payroll incident, our threat hunting effort identified evidence of an ongoing compromise related to the WannaCry ransomware in the client’s legacy OT environment. (Yes, you read that right! Given when it came out, WannaCry has been lurking in their environment for years!)

The Outcome: How We Closed Critical Security Gaps

Unit 42 worked with the customer to quickly contain the account compromises, reverse fraudulent payroll changes and regain control over impacted cloud identities.

At the same time, the team began advising on hardening measures across both IT and OT environments, including:

• Enhancing help desk verification procedures
• Strengthening MFA enforcement and recovery workflows
• Improving logging, including forwarding application logs into Cortex XSIAM
• Addressing the WannaCry foothold within OT systems

Despite the initial compromise, the impact was contained to just three employee accounts. This is largely because the organization acted quickly. Additionally, the attacker’s objective was financial gain rather than deeper network access. We were able to accelerate incident resolution and strengthen their security posture with stronger help desk protocols and identity governance.

What This Investigation Revealed

This incident highlights how modern attackers are increasingly bypassing traditional technical controls and focusing on operational processes, especially help desks. Human-driven workflows like password resets and MFA enrollment can become high-impact vulnerabilities if not tightly governed. It also illustrates how narrowly scoped fraud investigations can reveal deeper systemic issues, such as the discovery of a long-standing WannaCry presence in OT systems.

As attackers continue to refine their social engineering tactics, organizations must treat help desk and similar interactions with the same rigor as technical authentication flows. The case underscores the importance of:

• Unified visibility across the environment
• Security team skillset
• Strong verification procedures for all identity-related requests

Interested in learning more about the latest attack trends? If so, take a look at our 2025 Unit 42 Global Incident Response Report: Social Engineering edition, which distills the most critical findings based on our direct experience responding to real-world cyberattacks at over 500 organizations across 38 countries.

Additional Resources

• Nine stories of Unit 42 in action
• The state of cybersecurity incident response
• 42 tips on your road to cyber resilience

About Unit 42

Unit 42 strengthens your team with the tools and expertise needed to stay ahead of threats and protect your business. With our proven strategies and insights from thousands of engagements, we’ll help your team handle the toughest situations with confidence.