Profile picture of Microsoft Threat Intelligence

Microsoft Threat Intelligence

@MsftSecIntel

Published: March 13, 2025
1
34
72
1/4
03:02 PM

Starting in December 2024, Microsoft Threat Intelligence identified a phishing campaign that impersonates online travel agency Booking .com and delivers multiple credential-stealing malware used for financial fraud and theft. https://msft.it/6012quK58

2/4Continued
03:02 PM

Tracked as Storm-1865, the campaign targets individuals in hospitality organizations that are most likely to work with Booking .com sending fake emails purporting to be from the agency.

3/4Continued
03:02 PM

It uses a social engineering technique called ClickFix, which takes advantage of human problem-solving tendencies by tricking target users into copying, pasting, and launching commands to fix supposed issues.

4/4Continued
03:02 PM

In this campaign’s case, the user is prompted by a fake CAPTCHA message to use a keyboard shortcut to launch a command that eventually downloads the malware payload. Check our blog to read our analysis and to get protection recommendations and hunting guidance.

Share this thread

Read on Twitter

View original thread

Navigate thread

1/4