/

July 10, 2026

The ‘Guest Complaint’ Email That Hands Hackers the Front Desk

Microsoft just issued a warning about a phishing campaign that should worry anyone who runs a business with a customer-facing inbox — which is to say, nearly everyone. Since April, attackers have been targeting hotels across Europe and Asia with emails that look exactly like the messages hospitality staff live on: guest complaints, booking inquiries, review disputes, even health-inspection notices. Attached to the story is always the same hook — “photos” of the problem. And opening those photos is how the attackers take up residence inside the business.

The campaign is aimed at hotels today. But the trick underneath it works on any business that answers customer email, and it defeats two things owners tend to rely on: their spam filters and their most conscientious employees. Here is how it works, in plain English, and the habit that stops it.

The trap, step by step

  • An alarming message arrives. “A guest found bedbugs.” “A complaint has been filed.” “A health inspection is pending.” It lands in the exact inbox whose entire job is to respond to exactly this.
  • It looks completely legitimate. The messages are routed through real, trusted scheduling and link services — so they arrive from genuinely authorized infrastructure and sail past the standard checks email systems use to spot fakes.
  • The “evidence” is the payload. The email points to a downloadable file of photos supporting the complaint. Inside the photo bundle is a file merely disguised as an image.
  • One double-click, and they’re in. Opening the fake image quietly kicks off an installation that gives attackers a persistent foothold on the machine — one built to survive restarts, adjust the computer’s own defenses, and await instructions.

The twist that makes this campaign special: these emails pass the authenticity checks. By routing messages through real, trusted services, the attackers make them technically indistinguishable from legitimate notifications — Microsoft calls it “authentication laundering.” The green checkmarks confirm the sender was allowed to send. They say nothing about whether the message is safe.

Why it beats good employees

Look at the lure themes and notice what they all have in common: every one applies pressure that a service business cannot ignore.

The lure says…The pressure it applies
“A guest filed a complaint”Reputation — respond fast or the review goes public
“Bedbugs in room 214, photos attached”Urgency plus dread — this cannot wait until tomorrow
“Health inspection scheduled — final notice”Authority — ignoring an inspector is not an option
“Question about my upcoming booking”Routine — answering these is literally the job

This is the same cruel judo we keep seeing in the best modern scams: the attack does not exploit laziness or carelessness. It exploits diligence. The employee who opens that attachment fastest is your best employee — the one who takes complaints seriously and would never leave a guest issue sitting overnight. The attackers know that, which is why they aimed the campaign at front desks and reservation inboxes rather than at IT departments.

Not running a hotel? This is still about you

Swap the costume and the play works anywhere. A restaurant gets “photos” of the meal that made someone sick. A contractor gets “photos” of the damage a crew supposedly caused. A retailer gets “pictures” of the defective product, an accountant gets the “documents” for a dispute, a landlord gets “evidence” from an angry tenant. Any business with an inbox that customers can reach has an employee whose job is to open exactly this kind of message — and that employee is the target. Today’s campaign happens to wear a hotel costume. The wardrobe changes; the trick does not.

The habit that stops it

The rule to teach your team: a complaint can be real while its attachment is not. Take every complaint seriously — and verify it through your own records first. Does this guest exist in the system? Is there a booking? Does the review appear on the actual platform? A real complaint survives that check every time. And a surprise downloadable file of “photos” from someone you cannot match to a real customer is not evidence to open — it is the entire attack, and the right response is to stop, not click, and ask someone who knows.

Notice what that rule does not require: no technical skill, no software, no memorizing file types. It requires only a trained pause between the alarming message and the double-click — in the exact moment the attacker is counting on urgency to win. That pause is what our focused security training builds, using the real lures your team faces in your industry, in plain language, for the people who actually answer your customers. The attackers studied how your front line works. The least you can do is make sure your front line has studied them back.

Sources: Microsoft Threat Intelligence; The Hacker News; SC Media; TechRadar, June 2026.

From the same category