HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Phishing Campaign Targets Hospitality Staff with Fake Guest Complaint Emails, Deploys TonRAT Malware

Microsoft reports a phishing operation that sends fake guest‑complaint emails to hospitality employees, using Calendly and Google redirects to deliver the TonRAT backdoor. The attack highlights gaps in email authentication and user awareness—key focus areas for SOC 2 audit readiness.

LiveThreat™ Intelligence · 📅 June 27, 2026· 📰 securityaffairs.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
1 sector(s)
Actions
3 recommended
📰
Source
securityaffairs.com

Phishing Campaign Targets Hospitality Staff with Fake Guest Complaint Emails, Deploys TonRAT Malware

What Happened — Microsoft’s threat‑intel team uncovered a credential‑phishing operation that has been active since April 2026 and specifically targets hospitality organizations. Attackers send “guest‑complaint” emails that appear to come from Calendly’s notification system, then chain through Google redirects and a Cloudflare‑fronted domain to deliver a PowerShell‑based loader that installs the TonRAT backdoor.

Why It Matters for Compliance & Audit Readiness

  • The campaign exploits weak email‑security controls and user awareness – exactly the scenario SOC 2 CC6.1 (Logical Access) and CC7.1 (Security Awareness) are designed to mitigate and evidence.
  • Continuous monitoring of authentication‑laundering vectors (SPF/DKIM/DMARC) and proof of staff training provide defensible audit evidence that the organization is managing phishing risk.

Who Is Affected – Hotels, resorts, and other hospitality service providers (front‑desk, reservations, and guest‑relations teams).

Recommended Actions – Review and tighten email authentication policies, enforce SOC 2‑aligned security‑awareness training, and collect evidence of phishing‑simulation results for audit readiness. Source: Security Affairs

Technical Notes – Attack uses “authentication laundering” via Calendly and Google URL redirects, bypasses SPF/DKIM/DMARC, and drops a PowerShell‑obfuscated loader (seven evolution phases) that writes a .lnk shortcut to %TEMP% and executes TonRAT. Source: Microsoft Threat Intelligence

📰 Original Source
https://securityaffairs.com/194349/uncategorized/hospitality-sector-hit-by-phishing-campaign-using-fake-guest-complaint-emails.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Awareness is a control you can evidence too.

Verisq AI Trust Operations records training completion and policy adoption as audit evidence — turning 'we train our staff' into something you can actually prove.

See how Verisq AI Trust Operations covers awareness →