Attackers Rerouted Employee Pay Without Breaching IT Systems

Social engineering remains the most effective entry vector for sophisticated threat actors, as illustrated by the recent payroll diversion case. By posing as employees and exploiting weak verification questions, the attacker convinced help‑desk operators to reset passwords and re‑register MFA devices. This human‑focused compromise sidestepped firewalls, zero‑day exploits, and traditional malware detection, granting the adversary legitimate credentials that blended seamlessly into normal authentication logs. Organizations must therefore treat identity‑related help‑desk interactions with the same rigor as technical controls, implementing strict, multi‑factor verification and continuous audit trails.

Once inside the payroll system, the attacker leveraged the stolen credentials to modify direct‑deposit information, redirecting funds without raising alarms. Because each login passed MFA checks and appeared as routine activity, conventional security information and event management (SIEM) solutions failed to flag the fraud. This underscores the need for behavior‑based analytics that can detect subtle anomalies in financial workflows, such as sudden changes to banking details or atypical transaction patterns. Integrating payroll monitoring with broader identity‑and‑access management (IAM) platforms enhances visibility and enables rapid response when suspicious account modifications occur.

The incident’s secondary finding—a lingering WannaCry infection in legacy operational technology—highlights the broader risk of unmonitored assets. Even when core IT environments are hardened, outdated OT systems can serve as hidden footholds for ransomware, threatening production continuity. A unified security posture that bridges IT and OT, coupled with continuous asset inventory and threat‑hunting, is essential to mitigate both human‑driven fraud and legacy malware threats. Investing in comprehensive visibility tools like Cortex XSIAM can streamline detection across these domains, protecting both financial integrity and operational resilience.