# Hotel Phishing Campaign Using Calendly and Google Redirects Puts TonRAT Malware Inside Global Hospitality *Friday, June 26, 2026 at 10:04 AM UTC — Hamer Intelligence Services Desk* **Published**: 2026-06-26T10:04:55.469Z (3h ago) **Category**: cyber | **Region**: Global **Importance**: 7/10 **Sources**: OSINT **Permalink**: https://hamerintel.com/data/articles/8880.md **Source**: https://hamerintel.com/summaries --- **Deck**: Attackers are hijacking trusted tools like Calendly and Google URL redirects to slip booby‑trapped “photo” ZIP files into hotel inboxes across Europe and Asia, Microsoft warns. Inside is a disguised shortcut that drops the TonRAT Node.js implant, turning front‑desk computers into quiet footholds with implications for guest data, travel security and the wider hospitality supply chain. A new wave of phishing attacks against hotels is exploiting the very services many staff rely on to manage reservations and events. In a warning published this week, Microsoft described how threat actors are using legitimate Calendly invitations and Google URL redirects to trick hotel employees into downloading malware, a reminder that trust in familiar brands has become a weapon in the cyber arsenal. According to Microsoft’s analysis, the campaign has targeted hotels in Europe and Asia with emails that appear to come from real customers or business partners sharing photos, booking details or event information. The messages route recipients through Calendly or Google‑hosted links that look authentic, before redirecting them to download “photo” ZIP archives. Those archives do not contain images, but rather a shortcut file masquerading as one, which, when executed, installs the TonRAT implant built on Node.js. TonRAT gives attackers a foothold inside hotel networks, allowing them to run commands, exfiltrate data and potentially pivot to other systems. While Microsoft has not publicly attributed the campaign to a specific state or criminal group, the choice of targets and tools suggests operators who are comfortable adapting to security training that tells staff to look for misspelled domains and unfamiliar senders. Here, the lures lean on platforms that front‑desk workers and managers often use legitimately, making visual detection much harder. For hotels, the human stakes are not abstract. A compromised workstation at reception can expose guest details, payment information and passport scans, and in some cases might provide access to room‑key systems or travel‑itinerary databases. That turns what looks like a simple phishing incident into a potential physical‑security issue, especially for business travelers, diplomats and corporate executives whose movements and preferences are sensitive intelligence. The operational impact can ripple further. Large hotel chains run centralized booking platforms, loyalty programs and corporate network links that tie together properties across regions. A single infected endpoint in one property can, if network segmentation is weak, become an entry point toward those broader systems. For the hospitality industry already hit by ransomware and data‑breach scandals in recent years, another class of threats worsens customer trust problems and regulatory exposure. Strategically, the campaign shows how attackers are adjusting to a world saturated with basic phishing awareness. Security training that teaches staff to “hover over the link” is less effective when the URL they see belongs to a mainstream tool they use every week. By piggybacking on Calendly and Google redirects, the operators behind TonRAT are effectively renting credibility from tech giants to sneak past both human suspicion and some automated filters. The broader lesson is that cyber risk in travel is no longer confined to airline systems and border‑control databases. Hotels, convention centers and local booking agencies form part of the same security perimeter for high‑value travelers, and their email inboxes can be as valuable as any diplomatic cable. Signals to watch include whether TonRAT or similar Node.js‑based implants begin showing up in other sectors beyond hospitality, whether Microsoft or other vendors release targeted detection rules that blunt this specific campaign, and if major hotel groups quietly roll out new controls on file downloads and link handling. The speed at which the industry closes these gaps will help determine whether hotels remain soft entry points for attackers hunting both money and information.