Starting in December 2024, leading up to some of the busiest travel days, Microsoft Threat Intelligence identified a phishing campaign that impersonates online travel agency Booking.com and targets organisations in the hospitality industry.
The campaign uses a social engineering technique called ClickFix to deliver multiple credential-stealing malware in order to conduct financial fraud and theft.
As of February 2025, this campaign is ongoing.
In this blog post, Microsoft unpacks the threat and how organisations can guard against it.
This phishing attack specifically targets individuals in hospitality organisations in North America, Oceania, South and Southeast Asia, and Northern, Southern, Eastern, and Western Europe, that are most likely to work with Booking.com, sending fake emails purporting to come from the agency.
In the ClickFix technique, a threat actor attempts to take advantage of human problem-solving tendencies by displaying fake error messages or prompts that instruct target users to fix issues by copying, pasting, and launching commands that eventually result in the download of malware.
This need for user interaction could allow an attack to slip through conventional and automated security features. In the case of this phishing campaign, the user is prompted to use a keyboard shortcut to open a Windows Run window, then paste and launch a command that the phishing page adds to the clipboard.
Microsoft tracks this campaign as Storm-1865, a cluster of activity related to phishing campaigns leading to payment data theft and fraudulent charges.
Organisations can reduce the impact of phishing attacks by educating users on recognizing such scams.
Phishing campaign using the ClickFix social engineering technique
In this campaign, Storm-1865 identifies target organizations in the hospitality sector and targets individuals at those organizations likely to work with Booking.com. Storm-1865 then sends a malicious email impersonating Booking.com to the targeted individual.
The content of the email varies greatly, referencing negative guest reviews, requests from prospective guests, online promotion opportunities, account verification, and more.
The email includes a link, or a PDF attachment containing one, claiming to take recipients to Booking.com.
Clicking the link leads to a webpage that displays a fake CAPTCHA overlayed on a subtly visible background designed to mimic a legitimate Booking.com page.
This webpage gives the illusion that Booking.com uses additional verification checks, which might give the targeted user a false sense of security and therefore increase their chances of getting compromised.
The fake CAPTCHA is where the webpage employs the ClickFix social engineering technique to download the malicious payload. This technique instructs the user to use a keyboard shortcut to open a Windows Run window, then paste and launch a command that the webpage adds to the clipboard.
The command downloads and launches malicious code through mshta.exe.
The campaign delivers multiple families of commodity malware, including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT. Depending on the specific payload, the specific code launched through mshta.exe varies. Some samples have downloaded PowerShell, JavaScript, and portable executable (PE) content.
All these payloads include capabilities to steal financial data and credentials for fraudulent use, which is a hallmark of Storm-1865 activity.
In 2023, Storm-1865 targeted hotel guests using Booking.com with similar social engineering techniques and malware. In 2024, Storm-1865 targeted buyers using e-commerce platforms with phishing messages leading to fraudulent payment webpages.
The addition of ClickFix to this threat actor’s tactics, techniques, and procedures (TTPs) shows how Storm-1865 is evolving its attack chains to try to slip through conventional security measures against phishing and malware.
The threat actor that Microsoft tracks as Storm-1865 encapsulates a cluster of activity conducting phishing campaigns, leading to payment data theft and fraudulent charges. These campaigns have been ongoing with increased volume since at least early 2023 and involve messages sent through vendor platforms, such as online travel agencies and e-commerce platforms, and email services, such as Gmail or iCloud Mail.
Recommendations
Users can follow the recommendations below to spot phishing activity. Organisations can reduce the impact of phishing attacks by educating users on recognising these scams.
- Check the sender’s email address to ensure it’s legitimate. Assess whether the sender is categorised as first-time, infrequent, or marked as “[External]” by your email provider. Hover over the address to ensure that the full address is legitimate.
- Keep in mind that legitimate organisations do not send unsolicited email messages or make unsolicited phone calls to request personal or financial information. Always navigate to those organisations directly to sign into your account.
- Contact the service provider directly. If you receive a suspicious email or message, contact the service provider directly using official contact forms listed on the official website.
- Be wary of urgent calls to action or threats. Remain cautious of email notifications that call to click, call, or open an attachment immediately. Phishing attacks and scams often create a false sense of urgency to trick targets into acting without first scrutinizing the message’s legitimacy.
- Hover over links to observe the full URL. Sometimes, malicious links are embedded into an email to trick the recipient. Simply clicking the link could let a threat actor download malware onto your device. Before clicking a link, ensure the full URL is legitimate. For best practice, rather than following a link from an email, search for the company website directly in your browser and navigate from there.
- Search for typos. Phishing emails often contain typos, including within the body of the email, indicating that the sender is not a legitimate, professional source, or within the email domain or URL, as mentioned previously. Companies rarely send out messages without proofreading content, so multiple spelling and grammar mistakes can signal a scam message. In addition, check for very subtle misspellings of legitimate domains, a technique known as typosquatting. For example, you might see micros0ft[.]com, where the second o has been replaced by 0, or rnicrosoft[.]com, where the m has been replaced by r and n.