Microsoft is tracking a phishing campaign hitting hotels across Europe and Asia since April, using guest-complaint and inspection-themed emails to get front-desk staff to open photo-themed ZIP files. The lures pass email authentication through what Microsoft calls authentication laundering, routing messages through Calendly's notification system and Google redirects so they appear legitimate. The ZIP hides a shortcut posing as an image that runs obfuscated PowerShell, quietly installs a legitimate Node.js runtime, and launches a JavaScript implant called TonRAT. TonRAT resolves its command servers through a blockchain API, communicates over encrypted WebSockets on unusual ports, disables Microsoft Defender for itself, and persists through the registry. The attackers' ultimate goal is still unclear.
BWH Hotels - the global hospitality group behind Best Western, WorldHotels, and Sure Hotels, with 4,000+ properties in over 100 countries and 53 million loyalty members - has disclosed that attackers were inside one of its guest reservation web applications for more than six months. The intrusion ran from October 14, 2025, to April 22, 2026, when BWH finally detected unauthorized activity. The hackers accessed names, email addresses, phone numbers, postal addresses, reservation numbers, stay dates, and any special requests for an undisclosed number of guests. Payment data sat with a third-party processor and was not affected. No threat actor has claimed the breach so far.