Phishing Campaign Targets Hospitality Staff with Fake Guest Complaint Emails, Deploys TonRAT Malware
What Happened — Microsoft’s threat‑intel team uncovered a credential‑phishing operation that has been active since April 2026 and specifically targets hospitality organizations. Attackers send “guest‑complaint” emails that appear to come from Calendly’s notification system, then chain through Google redirects and a Cloudflare‑fronted domain to deliver a PowerShell‑based loader that installs the TonRAT backdoor.
Why It Matters for Compliance & Audit Readiness
- The campaign exploits weak email‑security controls and user awareness – exactly the scenario SOC 2 CC6.1 (Logical Access) and CC7.1 (Security Awareness) are designed to mitigate and evidence.
- Continuous monitoring of authentication‑laundering vectors (SPF/DKIM/DMARC) and proof of staff training provide defensible audit evidence that the organization is managing phishing risk.
Who Is Affected – Hotels, resorts, and other hospitality service providers (front‑desk, reservations, and guest‑relations teams).
Recommended Actions – Review and tighten email authentication policies, enforce SOC 2‑aligned security‑awareness training, and collect evidence of phishing‑simulation results for audit readiness. Source: Security Affairs
Technical Notes – Attack uses “authentication laundering” via Calendly and Google URL redirects, bypasses SPF/DKIM/DMARC, and drops a PowerShell‑obfuscated loader (seven evolution phases) that writes a .lnk shortcut to %TEMP% and executes TonRAT. Source: Microsoft Threat Intelligence