MICROSOFT warns of a phishing campaign targeting the hospitality sector using fake guest complaint emails that install a malware called TonRAT. Running since April 2026, the campaign employs an authentication laundering technique, exploiting platforms like Calendly and Google to bypass security protocols. The phishing emails, disguised as notifications about health or guest issues, are sent in multiple languages, primarily Japanese.
Victims clicking on links are directed through a series of redirects before downloading a payload that utilizes PowerShell for obfuscation. Notably, the attack maintains persistence by employing mechanisms in the Windows registry to ensure continued execution even after detection. The campaign's ultimate goals remain unclear, and complete remediation requires thorough system checks.