Attackers Redirect Employee Paychecks Without Breaching a Single Corporate System

A threat actor successfully diverted employee paychecks into attacker-controlled bank accounts by exploiting help desk vulnerabilities rather than attacking technical infrastructure.

The incident reveals a critical shift in threat actor tactics: 36% of all incidents analyzed by Unit 42 in 2025 began with social engineering, according to their Global Incident Response Report: Social Engineering Edition.

The Attack Chain: Help Desk Manipulation at Scale

The attacker initiated contact via a simple phone call, impersonating employees to manipulate multiple help desk teams across payroll, IT, and HR.

Using publicly available information harvested from social media platforms, the threat actor bypassed challenge-response authentication mechanisms and convinced help desk personnel to execute password resets and re-enroll multi-factor authentication (MFA) devices.

The attacker’s reconnaissance proved methodical. They called multiple times to probe verification question types, gradually accumulating the necessary data for successful authentication bypass.

This reconnaissance phase exploited the growing volume of personal and professional information readily available on social platforms.

Once authenticated, the threat actor established persistence by registering an external email address as an authentication method within Azure AD.

They then compromised multiple employee accounts and systematically modified direct-deposit details, redirecting paychecks to attacker-controlled accounts.

Because the credentials appeared legitimate and MFA was correctly validated, the fraudulent activity blended seamlessly with normal operations.

The incident remained undetected for weeks until affected employees reported missing paychecks, triggering an internal investigation that eventually engaged Unit 42 for forensic analysis.

Unit 42 deployed Cortex XSIAM to correlate telemetry across payroll systems, HR infrastructure, and Next-Generation Firewall logs.

The investigation confirmed the incident remained limited to payroll diversion and three compromised accounts, with no evidence of lateral movement or broader data exfiltration.

However, the investigation uncovered an unexpected secondary finding: evidence of an ongoing WannaCry compromise within the organization’s legacy operational technology (OT) environment, suggesting an undetected presence for years.

Unit 42 immediately worked to contain account compromises, reverse fraudulent payroll changes, and regain control of impacted cloud identities.

Hardening measures implemented across IT and OT environments included enhanced help desk verification procedures, strengthened MFA enforcement workflows, improved application logging with Cortex XSIAM integration, and remediation of the WannaCry foothold.

This incident demonstrates how attackers increasingly bypass traditional technical controls to exploit human-driven processes.

Help desks represent high-impact vulnerability surfaces requiring the same security rigor as technical authentication systems.

Organizations must implement unified visibility across environments, maintain strong verification procedures for identity-related requests, and treat operational workflows with the same security discipline applied to technical infrastructure.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Attackers Redirect Employee Paychecks Without Breaching a Single Corporate System appeared first on Cyber Security News.