A sophisticated phishing campaign targeting the hospitality industry has been uncovered, with threat actors impersonating Booking.com to gain access to hotel systems and customer data.
Microsoft Threat Intelligence has attributed the ongoing attacks, which began in December 2024 and continued through February 2025, to a group known as Storm-1865.
The campaign primarily targets North America, Oceania, South and Southeast Asia, and Europe hospitality employees.
Attackers employ social engineering techniques, sending emails that appear to be from Booking.com and contain various lures such as negative guest reviews, requests from potential travelers, or account verification notices.
Malware Deployment and Credential Theft
ThreatDown detailed one variant of the attack: sending a fake booking confirmation email to hotel staff.
The email contains a link that, when clicked, leads to a fraudulent CAPTCHA website.
Upon interaction, the victim is presented with “verification”…
