Back to Intelligence

TonRAT Hospitality Campaign: Detecting Fake Guest Complaint Phishing

SA
Security Arsenal Team
June 27, 2026
6 min read

Microsoft Threat Intelligence has issued a critical warning regarding an active social engineering campaign specifically targeting the hospitality sector. Since April 2026, threat actors have been leveraging highly convincing "fake guest complaint" emails to deliver TonRAT, a Remote Access Trojan characterized by its resilient persistence mechanisms.

For security practitioners, this represents a significant shift in tactics. Hospitality environments, often characterized by high staff turnover and decentralized IT management, are prime targets for credential harvesting and long-term espionage. This is not a theoretical risk; active infections have been confirmed in environments where device naming conventions indicate specific operational technology or guest management systems are being accessed.

Technical Analysis

Threat Overview:

  • Vector: Spear-phishing (Social Engineering).
  • Payload: TonRAT.
  • Target: Hospitality Sector (Front desk, management, and reservation systems).
  • Persistence: Resilient (likely via Registry Run keys, Scheduled Tasks, or Service creation).

Attack Chain Breakdown:

  1. Initial Access: The attack begins with a phishing email crafted to appear as a legitimate guest complaint. The subject lines and sender addresses are spoofed to bypass basic email filtering, often using urgent language to manipulate hotel staff into clicking links or opening attachments.
  2. Execution: Once the user interacts with the lure (typically a malicious attachment or a link dropping a payload), a script (PowerShell or VBScript) executes to fetch and install the TonRAT payload.
  3. Persistence: TonRAT establishes "resilient persistence." While specific registry keys or scheduled task names vary by campaign iteration, operators often utilize mechanisms that survive system reboots and user logoffs to maintain C2 (Command and Control) access.
  4. C2 Beaconing: The infected endpoint establishes an outbound connection to attacker-controlled infrastructure. This allows for data exfiltration (guest PII, payment card data) and lateral movement to Property Management Systems (PMS).

CVE Status: No specific CVE is associated with this social engineering campaign. The vulnerability exploited here is human error and a lack of email hygiene controls. Therefore, defense relies heavily on behavioral detection and user awareness rather than patching a specific software flaw.

Detection & Response

To effectively hunt for this threat, SOC teams must focus on the initial access vector (Office applications spawning shells) and the behavioral characteristics of TonRAT persistence and network traffic.

SIGMA Rules

YAML
---
title: Potential TonRAT Phishing Execution via Office
id: 8a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects Microsoft Office applications spawning PowerShell or CMD, a common pattern in fake guest complaint phishing campaigns leading to TonRAT installation.
references:
  - https://www.microsoft.com/en-us/security/blog/
author: Security Arsenal
date: 2026/04/22
tags:
  - attack.initial_access
  - attack.t1566.001
  - attack.execution
  - attack.t1204.002
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|contains:
      - '\WINWORD.EXE'
      - '\EXCEL.EXE'
      - '\POWERPNT.EXE'
      - '\OUTLOOK.EXE'
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
  condition: selection
falsepositives:
  - Legitimate macro usage for document automation
level: high
---
title: Suspicious Registry Run Key Persistence (TonRAT Indicator)
id: 9c3d4e5f-6a7b-8c9d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects creation of registry run keys with suspicious parameters often associated with RATs like TonRAT ensuring resilient persistence.
references:
  - https://attack.mitre.org/techniques/T1547/001/
author: Security Arsenal
date: 2026/04/22
tags:
  - attack.persistence
  - attack.t1547.001
logsource:
  category: registry_set
  product: windows
detection:
  selection:
    TargetObject|contains:
      - '\Software\Microsoft\Windows\CurrentVersion\Run'
      - '\Software\Microsoft\Windows\CurrentVersion\RunOnce'
    Details|contains:
      - 'powershell.exe -'
      - 'cmd.exe /c'
      - 'http://'
      - 'ftp://'
  condition: selection
falsepositives:
  - Legitimate software installation
level: medium
---
title: Hospitality Phishing Subject Keywords
id: 0d1e2f3a-4b5c-6d7e-8f9a-0b1c2d3e4f5a
status: experimental
description: Detects incoming emails with subject lines associated with the active hospitality fake guest complaint campaign.
references:
  - https://securityaffairs.com/194349/uncategorized/hospitality-sector-hit-by-phishing-campaign-using-fake-guest-complaint-emails.html
author: Security Arsenal
date: 2026/04/22
tags:
  - attack.initial_access
  - attack.t1566.001
logsource:
  product: o365
  service: exchange
detection:
  selection:
    Subject|contains:
      - 'Guest Complaint'
      - 'Service Issue'
      - 'Billing Discrepancy'
      - 'Unsatisfied Stay'
  condition: selection
falsepositives:
  - Legitimate guest complaints (requires analyst review)
level: low

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious process creation patterns associated with phishing documents
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe")
| where FileName in~ ("powershell.exe", "cmd.exe", "mshta.exe", "wscript.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine, FolderPath
| order by Timestamp desc


// Network Beaconing Detection for TonRAT C2
DeviceNetworkEvents
| where Timestamp >= ago(30m)
| where RemotePort in (80, 443, 8080) 
| summarize Count = count(), TimeList = make_list(Timestamp) by DeviceName, RemoteUrl, RemoteIP
| where Count > 50 // High frequency connections indicative of beaconing
| extend BeaconingScore = iff(iff(max(TimeList) - min(TimeList) > 10m, true, false), "High", "Low")
| where BeaconingScore == "High"

Velociraptor VQL

VQL — Velociraptor
-- Hunt for TonRAT persistence mechanisms and suspicious parent processes
SELECT Pid, Name, CommandLine, Exe, Username, ParentPid
FROM pslist()
WHERE Name =~ "cmd.exe" OR Name =~ "powershell.exe"
  AND CommandLine =~ "-Enc" OR CommandLine =~ "Invoke-Expression"

-- Hunt for network connections to non-standard ports or suspicious IPs
SELECT Fd, Family, RemoteAddr, RemotePort, State, Pid
FROM netstat()
WHERE State =~ "ESTABLISHED" AND RemotePort > 1024

Remediation Script (PowerShell)

PowerShell
# Audit and Remediation Script for Hospitality Endpoints
# Requires Administrative Privileges

Write-Host "[+] Starting Host Audit for TonRAT Indicators..."

# 1. Check for Suspicious Persistence in Registry Run Keys
$suspiciousPaths = @("C:\Windows\Temp\", "C:\Users\Public\", "AppData\Local\Temp")
$runKeys = @("HKLM:\Software\Microsoft\Windows\CurrentVersion\Run", 
             "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce", 
             "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
             "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce")

foreach ($key in $runKeys) {
    if (Test-Path $key) {
        Get-Item $key | ForEach-Object {
            $_.Property | ForEach-Object {
                $propValue = (Get-ItemProperty -Path "$key" -Name $_).$_
                if ($suspiciousPaths | Where-Object { $propValue -like "*$_*" }) {
                    Write-Host "[!] Suspicious Persistence Found in $key : $_ = $propValue" -ForegroundColor Red
                    # Remove-ItemProperty -Path $key -Name $_ -Force # Uncomment to remediate
                }
            }
        }
    }
}

# 2. Disable Macros from Internet (GPO enforcement check simulation)
Write-Host "[+] Checking Macro Security Settings..."
$blockSetting = (Get-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Outlook\Security" -ErrorAction SilentlyContinue).MarkInternalAsUnsafe
if ($blockSetting -ne 1) {
    Write-Host "[!] Warning: Outlook Macro settings may allow external content." -ForegroundColor Yellow
}

Write-Host "[+] Audit Complete. Please review findings."

Remediation

  1. Immediate Isolation: Identify and isolate devices with suspicious process execution patterns (Office spawning PowerShell) immediately from the network to prevent lateral movement to Property Management Systems (PMS).
  2. Email Transport Rules: Implement strict mail flow rules to quarantine emails containing subject lines with keywords like "Guest Complaint," "Service Issue," or "Billing Discrepancy" originating from external domains that are not in the organization's allow-list.
  3. User Awareness: Conduct immediate, targeted security awareness training for front desk and reservation staff. Emphasize verifying guest complaints via the PMS directly rather than clicking email links.
  4. Macro Hardening: Enforce Group Policy Objects (GPO) to disable macros from the internet and digitally sign macros. This disrupts the most common initial execution vector for TonRAT.
  5. Network Segmentation: Ensure that front-desk and back-office workstations are segmented from critical PMS and payment card processing networks. Limit outbound internet access for systems that do not require it.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachtonrathospitalityphishing

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action