Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: hospitality (2 articles)Clear

Hotel phishing campaign launders email authentication to drop a Node.js implant

Microsoft is tracking a phishing campaign hitting hotels across Europe and Asia since April, using guest-complaint and inspection-themed emails to get front-desk staff to open photo-themed ZIP files. The lures pass email authentication through what Microsoft calls authentication laundering, routing messages through Calendly's notification system and Google redirects so they appear legitimate. The ZIP hides a shortcut posing as an image that runs obfuscated PowerShell, quietly installs a legitimate Node.js runtime, and launches a JavaScript implant called TonRAT. TonRAT resolves its command servers through a blockchain API, communicates over encrypted WebSockets on unusual ports, disables Microsoft Defender for itself, and persists through the registry. The attackers' ultimate goal is still unclear.

Check
Alert front-desk staff to complaint-themed emails carrying photo ZIP files, and hunt for Node.js running from user paths, new Defender exclusions, and beacons to non-standard ports such as 8443 or 56001.
Affected
Hotels and hospitality organizations in Europe and Asia whose reception and reservations staff open image or document attachments; the campaign laundered email authentication and installs a persistent Node.js implant.
Fix
Block and alert on the campaign's domains and ports, restrict execution of shortcut files from archives, monitor for unauthorized Node.js runtimes and Defender exclusions, and remove both registry persistence keys during cleanup.

BWH Hotels (Best Western's parent) had attackers in its reservation system for over six months - guests' contact details and stay records exposed across Best Western, WorldHotels, and SureStay brands

BWH Hotels - the global hospitality group behind Best Western, WorldHotels, and Sure Hotels, with 4,000+ properties in over 100 countries and 53 million loyalty members - has disclosed that attackers were inside one of its guest reservation web applications for more than six months. The intrusion ran from October 14, 2025, to April 22, 2026, when BWH finally detected unauthorized activity. The hackers accessed names, email addresses, phone numbers, postal addresses, reservation numbers, stay dates, and any special requests for an undisclosed number of guests. Payment data sat with a third-party processor and was not affected. No threat actor has claimed the breach so far.

Check
Search corporate travel and expense systems for stays at BWH-branded properties between October 2025 and April 2026, and warn frequent business travelers to treat any unexpected reservation emails as suspect.
Affected
BWH Hotels guests with reservations in the affected web application between October 14, 2025, and April 22, 2026. Brands include Best Western, Best Western Hotels and Resorts, WorldHotels, SureStay, and Sure Hotels.
Fix
Treat any unexpected emails or texts referencing past BWH stays as untrusted, even if the details match. Visit the booking property's verified website directly instead of clicking links, and rotate any reused passwords.