Simply Cyber Newsletter #189

Crush Your Week Like a Cyber Pro with Simply Cyber!

In partnership with

Start your work week off at full speed with expert analysis and actionable intel from top cybersecurity news stories. Share with your End Users, Peers, and Executives to support weekly security awareness with the Simply Cyber Newsletter.

FOR END USERS

HOSPITALITY SECTOR HIT BY PHISHING CAMPAIGN USING FAKE GUEST COMPLAINT EMAILS. Microsoft uncovered an ongoing phishing campaign targeting hospitality organizations that abuses Calendly notifications and Google redirects to deliver TonRAT malware. The delivery path passes SPF, DKIM, and DMARC checks, while the malware uses evolving PowerShell obfuscation, installs a user-space Node.js runtime, and maintains persistence through multiple registry mechanisms that can survive partial remediation. Microsoft has not confirmed the attackers’ ultimate objective or identified affected organizations.

What you need to know: Here’s a scenario worth walking your end users through this week:

A message arrives through a service they recognize. It isn’t asking them to log in or reset a password. Instead, it claims a guest has filed an urgent complaint that needs immediate attention. That’s exactly the kind of moment this campaign was designed to exploit.

Microsoft uncovered a campaign where attackers abused a legitimate notification service to deliver phishing messages to hospitality organizations. The emails created a sense of urgency with complaints about bedbugs, health inspections, poor reviews, and account suspensions, hoping recipients would quickly follow a link and open a downloaded file without stopping to question the request. The lesson isn’t to distrust every familiar platform but to remember that a trusted service can still deliver an attacker-controlled message. When an unexpected email pressures someone to act immediately, especially if it involves complaints, financial consequences, or threats to the business, that is the moment to slow down. Before following a link or opening a downloaded file, verify the request through another trusted communication channel. If something doesn’t seem right, report it so your security team can review it before anyone acts.

Remind employees that a trusted service does not automatically make every message trustworthy. Pause, verify, then act.

FOR PEERS

HOSPITALITY SECTOR HIT BY PHISHING CAMPAIGN USING FAKE GUEST COMPLAINT EMAILS. Microsoft uncovered an ongoing phishing campaign targeting hospitality organizations that abuses Calendly notifications and Google redirects to deliver TonRAT malware. The delivery path passes SPF, DKIM, and DMARC checks, while the malware uses evolving PowerShell obfuscation, installs a user-space Node.js runtime, and maintains persistence through multiple registry mechanisms that can survive partial remediation. Microsoft has not confirmed the attackers’ ultimate objective or identified affected organizations.

What you need to know: This one belongs in your next email security and detection engineering conversation. The phishing email wasn’t the most important part of this campaign. The attackers abused trusted services, evolved their tradecraft over time, and built persistence designed to survive partial remediation.

Microsoft’s analysis shows attackers using a legitimate notification service to deliver phishing emails that passed SPF, DKIM, and DMARC checks before sending victims through multiple redirects to malicious infrastructure. Once executed, the TonRAT malware established layered persistence by installing a user-space Node.js runtime and using coordinated HKCU\Run and HKCU\RunOnce registry entries, allowing the infection to recover even after parts of it were removed. This campaign is a good opportunity to review assumptions around trusted SaaS notifications, redirect-chain inspection, and user-space runtime execution. It is also worth asking whether your detections would identify Node.js running from user profile paths, repeated recreation of RunOnce registry keys, or front-office systems downloading developer runtimes that should never exist on those devices.

Ask your email, endpoint, and detection teams whether trusted notification workflows, user-space Node.js execution, and layered persistence techniques are covered by your current detections and response playbooks.

FOR EXECUTIVES

DHS to unveil replacement council for critical infrastructure cybersecurity. The Department of Homeland Security is replacing the former Critical Infrastructure Partnership Advisory Council (CIPAC) with the Alliance of National Councils for Homeland Operational Resilience Critical Infrastructure (ANCHOR-CI). Managed by CISA, the new program restores formal cyber information sharing between government and critical infrastructure organizations while giving CISA greater authority over council membership. Some meetings will also be exempt from federal public transparency requirements.

What you need to know: If cybersecurity governance reaches your executive team, this is worth knowing.

The restoration of a formal government-industry coordination body signals a renewed federal focus on sharing cyber threat information with critical infrastructure organizations. While ANCHOR-CI largely restores the role previously served by CIPAC, it also changes how that partnership will operate. CISA will have greater authority over council membership and direction, and some meetings will be exempt from federal public transparency requirements because of the sensitive nature of the discussions. Several implementation details, including how representatives will be selected and how participation will be governed, have not yet been finalized.

What matters is that the government’s primary mechanism for coordinating cyber risk with critical infrastructure is returning, but under a different governance structure. That change will shape how threat intelligence, operational resilience, and cross-sector collaboration are discussed between government and industry going forward.

Remember this change the next time government partnerships, sector collaboration, or cyber resilience are discussed. The council’s name isn’t the important part, the governance model is.

200+ Claude Prompts Top Professionals Actually Use at Work

Claude can be your analyst, editor, and strategist.
But most professionals are using it to fix grammar.

These 200+ Claude prompts take it from grammar tool to your most powerful AI work assistant.

Sign up for Superhuman AI and get:

  • 200+ ready-to-use Claude prompts to get real work done in minutes — researched, tested, and used by professionals at Google, Microsoft, and NASA

  • Superhuman AI newsletter (4 min daily) so you keep learning new AI tools and skills to stay ahead in your career — the prompts are just the beginning

JOIN US EVERY WEEKDAY DAILY CYBER THREAT BRIEF

Gerald Auger, Ph.D. livestreams the Daily Cyber Threat Brief on Simply Cyber every weekday at 8:00 AM EDT: https://cyberthreatbrief.simplycyber.io

Join the party with cybersecurity enthusiasts and professionals alike who enjoy learning about the latest in cybersecurity news and staying connected.

SIMPLY CYBER FIRESIDES

Every cybersecurity practitioner has heard the warning that AI is about to replace them. Adrian Sanabria has spent nearly two decades studying this industry, and he's not buying it.

Adrian's current research at The Defenders Initiative asks why security defenses keep failing even as budgets and tooling grow, and that same mindset shapes how he thinks about AI's real impact on security jobs. He's moved through nearly every seat in the industry, from practitioner to consultant to industry analyst to founder, and that range gives him a wider view than most on where AI actually changes the work and where it doesn't.

As host of Enterprise Security Weekly and faculty at IANS, he spends a lot of time talking with practitioners about exactly this kind of question, and as founder of BSides Knoxville and Security Weekly Labs, he's spent years building spaces where the community works through these debates together.

Join the livestream and bring your own questions about AI and the future of security work directly to Adrian.

Register now to join us this Thursday at 4:30 PM EDT: https://luma.com/is4xxo8a 

SC MEDIA GROUP WEEKLY EVENTS SCHEDULE

Learning and networking happening every day of the work week on Simply Cyber:

SIMPLY CYBER MONTHLY EVENTS LINEUP

Want to know what’s happening at Simply Cyber at any given time?

Head over to the SC Monthly Events Calendar to register for new and upcoming events for the month - don’t forget to subscribe! lu.ma/simplycyber 

SC ACADEMY THE PLACE FOR CYBER CAREERS

At Simply Cyber Academy, we specialize in making GRC and Cybersecurity Careers a reality. Empower your career by learning real in-demand skills from cyber experts and the theory behind those skills with Simply Cyber Academy.

The popular GRC Analyst Master Class is a must for kickstarting your GRC Cybersecurity career. In addition, we have new courses covering various areas of focus in cyber available to help you advance in your career.

Check out the NEW FREE courses available in the academy!

SIMPLY CYBER ACADEMY BLOG HIGHLIGHT

Check out the highlighted blog on Simply Cyber Academy:  

LET’S CONNECT

Stay current on trending topics, tips, events and resources in cybersecurity, connect with Simply Cyber on socials for new content.

As always, please send me feedback. Which tip above is your favorite? What do you want more or less of? Other suggestions? Please let me know. Just send a DM on X with #actionableintel in the subject so I can find it.

Join us on the Daily Cyber Threat Brief happening every weekday morning at 8 AM Eastern on YouTube and LinkedIn.

Find more about what’s happening this week in the Simply Cyber community, below. Join us on the Daily Cyber Threat Brief happening every weekday morning at 8 AM Eastern on YouTube and LinkedIn.

Thank you and see you again next week, #TeamSC!

Gerry