A cybercrime group has compromised university HR systems across the U.S., redirecting payroll payments through meticulously crafted phishing campaigns that exploit weak authentication. Microsoft reveals how Storm-2657 evaded detection by deleting security alerts and enrolling attacker-controlled MFA devices.