Decoding the world of cybersecurity

Hotel phishing campaign targets Europe

Microsoft says hospitality organisations in Europe and Asia are being targeted with photo-themed phishing that delivers a persistent Node.js implant.

Hotel phishing campaign targets Europe
Summary
  • Microsoft has observed a campaign targeting hospitality and hotel organisations in Europe and Asia since April 2026.
  • The campaign uses photo-themed ZIP files, malicious shortcuts, obfuscated PowerShell, and a Node.js implant.
  • Front desk, reservations, and guest service workflows carry high attachment and link exposure because staff routinely handle customer files under operational pressure.

Microsoft says hospitality and hotel organisations in Europe and Asia have been targeted by a phishing campaign that uses photo-themed ZIP files to deliver a persistent Node.js implant.

The company’s threat intelligence team said it has observed the activity since April 2026 across multiple organisations. The campaign uses lures that fit ordinary hotel workflows, including guest complaints, room condition inquiries, review requests, and other image or document themes that staff may be expected to handle quickly.

The attack chain begins when a user downloads a ZIP archive presented as a photo file. Inside is a shortcut masquerading as an image. If launched, the shortcut starts a sequence involving obfuscated PowerShell, downloader activity, deployment of a Node.js implant, registry persistence, and command and control communication over non-standard ports.

Microsoft said the campaign has evolved across at least two waves, including changes in shortcut naming patterns and additional staging involving dynamic .NET compilation. It has not attributed the activity to a known threat actor, and the final objective remains unclear. Observed post compromise activity has included command and control beaconing, forced shutdowns, and compilation of portable executable payloads.

Hotels are exposed through the shape of their daily operations. Hospitality environments combine high inbound message volumes, front desk pressure, multilingual customer contact, seasonal staff, franchise and management company structures, payment exposure, loyalty data, and frequent use of booking platforms. Staff roles such as reception, reservations, front desk, and front office are expected to open attachments and respond to guest-facing requests. Microsoft observed device and account naming patterns consistent with those roles.

The delivery method also shows the limits of conventional trust signals. Microsoft said the actor misused legitimate services, including Calendly email notification infrastructure and Google redirect functionality, to deliver phishing links through trusted sending paths. The message can pass email authentication checks because it comes through authorised infrastructure, even though the content and intent are malicious.

SPF, DKIM, and DMARC help verify sending infrastructure; they do not prove the safety of a link, the legitimacy of an attachment, or the intent of a message sent through a legitimate platform. Hotels and other customer-facing organisations need controls that account for legitimate service abuse, redirect chains, and high pressure operational lures.

The sector’s exposure also reaches beyond individual hotels. Hospitality groups often depend on outsourced IT, managed service providers, reservation platforms, property management systems, payment processors, and centralised brand systems. A compromise at reception or reservations level can become a route into broader identity, payment, and operational systems if segmentation, endpoint control, and least privilege access are weak.

Microsoft’s technical write-up includes indicators, attack chain detail, and mitigation guidance. Defensive work should focus on reducing the blast radius of a staff workstation compromise, including attachment handling, shortcut file blocking, PowerShell and script controls, browser download inspection, endpoint telemetry, and rapid isolation of systems used for guest communications.

×