Microsoft warns of phishing campaign targeting Booking.com

Microsoft has revealed that hotels, resorts, and other businesses in the hospitality industry are being targeted by a sophisticated phishing campaign that impersonates Booking.com.

The software giant’s “Threat Intelligence” report revealed that the campaign uses a social engineering technique called ClickFix to deliver multiple credential-stealing malware and conduct financial fraud and theft.

Storm-1865

“As of February 2025, this campaign is ongoing,” Microsoft said.

Microsoft said Storm-1865 specifically targets hospitality organisations that are likely to work with travel agencies in North America, Oceania, South and Southeast Asia, and Europe.

ALSO READ: How to stay cybersafe and avoid cybercrime when travel planning

Fake emails

The malicious campaign sends fake emails purporting to be coming from Booking.com.

According to Microsoft, in the ClickFix technique, a threat actor attempts to take advantage of human problem-solving tendencies by displaying fake error messages or prompts that instruct target users to fix issues by copying, pasting, and launching commands that eventually result in malware download.

“In this campaign, Storm-1865 identifies target organisations in the hospitality sector and targets individuals at those organisations likely to work with Booking.com. Storm-1865 then sends a malicious email impersonating Booking.com to the targeted individual.

“The content of the email varies greatly, referencing negative guest reviews, requests from prospective guests, online promotion opportunities, account verification, and more,” Microsoft said.

Malware  

Microsoft said the campaign delivers multiple malware, including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT.

Microsoft said organisations can reduce the impact of phishing attacks by educating users on recognising these scams by ensuring that they check the sender’s email address to ensure it’s legitimate, hover over links to observe the full URL, contact the service provider directly and search for typos, among other safety measures.

Pam Golding hit

Earlier this week, real estate giant Pam Golding Properties said it suffered a data breach of its customer relationship management system hosted on its servers in South Africa.

The company said the incident occurred last Friday and involved an unknown third party that gained access to its systems through a user account.

ALSO READ: Pam Golding hacked: Real estate giant investigating data leak