Microsoft Threat Intelligence

Tracked as Storm-1865, the campaign targets individuals in hospitality organizations that are most likely to work with Booking .com sending fake emails purporting to be from the agency.

It uses a social engineering technique called ClickFix, which takes advantage of human problem-solving tendencies by tricking target users into copying, pasting, and launching commands to fix supposed issues.

In this campaign’s case, the user is prompted by a fake CAPTCHA message to use a keyboard shortcut to launch a command that eventually downloads the malware payload. Check our blog to read our analysis and to get protection recommendations and hunting guidance.