Hospitality Sector Under Siege: Analyzing the PHALT#BLYX ClickFix MSBuild Attack

The hospitality industry has become a prime target for cybercriminals seeking to exploit high-volume transaction data and often decentralized IT environments. A new threat campaign, tracked as PHAFLT#BLYX, is actively leveraging these vulnerabilities, combining sophisticated social engineering with Living-off-the-Land (LotL) techniques to breach hotel networks.

Unlike broad-spectrum attacks, this campaign focuses specifically on hospitality organizations. By abusing the trusted Microsoft Build Engine (MSBuild.exe), attackers are bypassing standard security controls, making detection difficult for teams relying solely on signature-based antivirus solutions.

Understanding the Attack Vector: ClickFix & MSBuild

The PHALT#BLYX campaign operates through a multi-stage infection chain. It begins with "ClickFix" social engineering—a tactic where users are deceived into believing their system is malfunctioning or requires an urgent update.

In this scenario, victims are often presented with fabricated browser error messages or fake technical support prompts. These prompts instruct the user to copy and execute a malicious command or script, effectively tricking the human user into becoming the malware delivery mechanism.

Once the command is executed, the attack escalates by abusing MSBuild.exe. MSBuild is a legitimate platform for building applications, typically used by developers. However, because it is a signed Microsoft binary capable of executing code via XML project files, it is frequently abused in "LotL" attacks to evade application whitelisting. By proxying malicious code through MSBuild, the attackers can blend in with normal development or administrative activity.

Technical Analysis & TTPs

Security Arsenal analysts have observed that the payload delivered in the PHALT#BLYX campaign often establishes persistence and facilitates lateral movement. The abuse of MSBuild allows the payload to run in-memory or via compiled artifacts, leaving minimal footprints on the disk.

Key TTPs to watch for:

• Initial Access: Spear-phishing or fraudulent web redirects triggering "ClickFix" browser overlays.
• Execution: MSBuild.exe spawning from unusual parent processes (e.g., cmd.exe, powershell.exe, or even browser processes).
• Defense Evasion: Utilization of trusted signed binaries to bypass heuristic controls.

Detection & Threat Hunting

To identify compromises related to PHALT#BLYX and similar ClickFix campaigns, security teams must hunt for anomalies in process execution trees. Specifically, we look for instances where MSBuild.exe is invoked in contexts unrelated to software development or legitimate administrative tasks.

KQL Query for Microsoft Sentinel / Defender 365

Use the following KQL query to hunt for suspicious MSBuild execution patterns. This query looks for MSBuild running outside of standard directories or spawned by non-standard parent processes.

DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "MSBuild.exe"
// Exclude common legitimate development paths if necessary, but investigate all for now
| where ProcessVersionInfoOriginalFileName =~ "MSBuild.exe"
// Check for suspicious parent processes (browsers, cmd, powershell)
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "chrome.exe", "msedge.exe", "firefox.exe")
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, SHA256
| order by Timestamp desc

PowerShell Validation Script

You can use this PowerShell snippet to audit recent MSBuild executions on specific endpoints. This checks the Security Event Log for MSBuild activity.

# Check for MSBuild execution in the last 24 hours
$Date = (Get-Date).AddDays(-1)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688; StartTime=$Date} -ErrorAction SilentlyContinue

if ($Events) {
    $SuspiciousActivity = $Events | Where-Object { 
        $_.Message -match 'NewProcessName.*MSBuild.exe' -and 
        $_.Message -match 'ParentProcessName.*(cmd.exe|powershell.exe|chrome.exe)' 
    }
    
    if ($SuspiciousActivity) {
        Write-Host "ALERT: Suspicious MSBuild activity detected." -ForegroundColor Red
        $SuspiciousActivity | Select-Object TimeCreated, Id, Message | Format-List
    } else {
        Write-Host "No suspicious MSBuild activity found." -ForegroundColor Green
    }
} else {
    Write-Host "No relevant security events found."
}

Mitigation Strategies

Stopping PHALT#BLYX requires a combination of technical controls and user awareness.

1. Application Control via AppLocker/WDAC: Implement strict policies that limit the execution of MSBuild.exe to specific, authorized users and directories (e.g., only developers can run it from the Visual Studio folder).

2. Attack Surface Reduction (ASR) Rules: Enable the ASR rule in Microsoft Defender specifically designed to "Block abuse of exploited vulnerable signed drivers" and rules that prevent Office apps from creating child processes, as ClickFix often overlaps with initial office-based vectors.

3. User Education: Train staff to recognize "ClickFix" tactics. Employees should know that legitimate browsers or operating systems will never ask them to copy and paste PowerShell commands or run scripts to fix an error.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub