Microsoft has recently uncovered an ongoing phishing campaign targeting the hospitality sector, specifically through the impersonation of Booking.com. The campaign, dubbed Storm-1865, has been active since December 2024 and uses a social engineering technique called ClickFix to distribute malware. The phishing emails, sent to hospitality employees across several regions, contain fake Booking.com links, which ultimately redirect users to a fraudulent CAPTCHA page. This page then instructs victims to run a command that downloads malicious payloads, including malware like XWorm, Lumma stealer, and VenomRAT.
The ClickFix technique tricks users into copying and pasting a command that exploits Windows’ legitimate mshta.exe binary. This method bypasses conventional email security protocols such as DMARC enforcement, making it harder for automated security systems to detect. Microsoft’s threat intelligence team highlighted how this tactic has evolved over time, shifting from targeting e-commerce platforms to utilizing the ClickFix method for more effective phishing campaigns. This evolution demonstrates an increasing sophistication in bypassing traditional security measures.
The Storm-1865 campaign, which has targeted both buyers and employees in the hospitality industry, marks the latest in a series of ClickFix-based attacks.
The technique itself has been increasingly adopted by cybercriminals and even nation-state groups like APT28 and MuddyWater. By leveraging user trust and human behavior, ClickFix is able to sidestep many automated defenses, making it a potent tool for malware distribution.
As these attacks continue to rise, the industry has seen a range of new campaigns utilizing fake CAPTCHA verification to drop infostealers like Lumma and Vidar.
The effectiveness of ClickFix is reflected in its rapid adoption by various threat actors, demonstrating its low technical barrier and high success rate. It capitalizes on user actions, shifting the burden of execution onto the victim, which increases the likelihood of malware infection. Beyond the Storm-1865 campaign, other recent phishing attacks have employed similar methods, using fake Google reCAPTCHA challenges and fake booking confirmations to deploy malware. These tactics underscore a growing trend in social engineering strategies that exploit user trust and browser functionality for malicious purposes.
