
Microsoft Threat Intelligence
@MsftSecIntel
Starting in December 2024, Microsoft Threat Intelligence identified a phishing campaign that impersonates online travel agency Booking .com and delivers multiple credential-stealing malware used for financial fraud and theft. https://msft.it/6012quK58
Tracked as Storm-1865, the campaign targets individuals in hospitality organizations that are most likely to work with Booking .com sending fake emails purporting to be from the agency.
It uses a social engineering technique called ClickFix, which takes advantage of human problem-solving tendencies by tricking target users into copying, pasting, and launching commands to fix supposed issues.
In this campaign’s case, the user is prompted by a fake CAPTCHA message to use a keyboard shortcut to launch a command that eventually downloads the malware payload. Check our blog to read our analysis and to get protection recommendations and hunting guidance.