// Alert

Microsoft 365 threat report

Microsoft Threat Intelligence disclosed an active campaign since April 2026 using 'authentication laundering' to bypass email security filters on hotels across Europe and Asia. Attackers register legitimate SaaS accounts (Calendly, GitHub, Jira) and route phishing emails through their trusted infrastructure to pass SPF, DKIM, and DMARC checks. Hotel employees receive messages with archives containing Windows shortcuts that execute PowerShell, deploy a signed Node.js runtime, and drop a memory-only JavaScript implant establishing persistence via registry run keys and Defender exclusions. Compromised front-desk workstations gain access to property management systems and guest databases.

// Get alerts for Microsoft 365