Hospitality-Focused Phishing Campaign Impersonates Expedia and Cloudbeds

8 September 2025

By Samantha Clarke, Ankit Gupta and Mimecast Threat Research Team

Campaign Overview

Samantha Clarke, Ankit Gupta and Mimecast Threat Research Team have identified an active phishing campaign specifically targeting hospitality industry professionals through fraudulent emails impersonating Expedia Partner Central and Cloudbeds platforms. This credential harvesting operation leverages the routine nature of hotel booking communications to deceive recipients into surrendering their login credentials.

The campaign employs urgent, business-critical subject lines designed to prompt immediate action from hotel managers and staff. Common lures include commission tracking alerts, system updates, guest booking confirmations, and partner central notifications. These subjects exploit the time-sensitive nature of hospitality operations, where delayed responses to guest bookings or system alerts can directly impact business revenue.

The threat actors demonstrate sophisticated understanding of hospitality workflows by crafting emails that reference specific platform features like "Partner Central," "commission tracking," and "guest messages." The emails direct recipients to fraudulent login pages that closely mimic legitimate Expedia and Cloudbeds interfaces, designed to capture usernames, passwords, and potentially multi-factor authentication tokens.

 

All identified malicious infrastructure utilizes Vercel's application hosting platform, suggesting the attackers are leveraging this service's ease of deployment and legitimate appearance to host their credential harvesting sites. The consistent use of hospitality-themed domain names and subdomains indicates a targeted, industry-specific campaign rather than opportunistic broad-spectrum phishing.

Mimecast Protection

Mimecast has implemented detection capabilities to identify and block emails associated with this hospitality-focused campaign. Our URL Protect service actively blocks access to the identified malicious domains, while our anti-phishing engines detect the campaign's email patterns and subject line characteristics.

We continue to monitor for new domains and tactics employed by this threat actor, updating our detection capabilities as the campaign evolves.

Targets

Primary Targets: Hospitality industry professionals, including hotel managers, reservation staff, and property owners using Expedia Partner Central and Cloudbeds platforms

Geographic Focus: Global, with emphasis on regions with high hotel booking activity

Industries: Hospitality

Indicators of Compromise (IOCs)

Malicious Domains:

• Cloudbeds-themed domains:
• cloudbeds-extranet-verification[.]vercel[.]app
• console-dashboard-vv[.]vercel[.]app
• hotel-cloudbeds-app[.]vercel[.]app
• reservation-system-cloudbeds[.]vercel[.]app
• dashboard-cloudbeds-sign[.]vercel[.]app
• view-dashboard-lodge[.]vercel[.]app
• pms-cloud-beds[.]vercel[.]app
• siginin-dashboard-app[.]vercel[.]app
• cloudbeds-app[.]vercel[.]app
• cloudbeds-reservatiob-signin[.]vercel[.]app
• cloudbeds-verification-manager[.]vercel[.]app
• cloudbeds-verification[.]vercel[.]app
• cloudbeds-service-page[.]vercel[.]app
• signin-cloudbeds-dashboard[.]vercel[.]app
• cloudbeds-welcome-message[.]vercel[.]app
• app-cloudbeds-online[.]vercel[.]app
• cloudbeds-reservetion-dashboard[.]vercel[.]app
• extranet-cloudbeds-okto[.]vercel[.]app

Expedia-themed domains:

• expedia-group-reservation-view[.]vercel[.]app
• hotel-reservation-expedia[.]vercel[.]app
• partner-central-okta[.]vercel[.]app
• preferences-dashboard[.]vercel[.]app
• expedia-new-signin[.]vercel[.]app
• expedia-partner-cental-reservation[.]vercel[.]app
• extranet-expedia-group-central[.]vercel[.]app
• expedia-group[.]vercel[.]app
• expedia-customer-reservetion[.]vercel[.]app
• expedia-proccess-signin[.]vercel[.]app
• expedia-lodge-dashboard[.]vercel[.]app
• expedia-central-approve[.]vercel[.]app
• partner-expedia-pro[.]vercel[.]app
• expedia-group-service[.]vercel[.]app
• access-expedia-verification[.]vercel[.]app
• expedia-payment-verification[.]vercel[.]app
• expedia-payment-validation[.]vercel[.]app
• expedia-service-app[.]vercel[.]app
• expedia-customer-application[.]vercel[.]app
• v0-reservation-expedia-partner[.]vercel[.]app

Common Subject Lines:

• Re: NC 20241 - Confirm Now: Track Commissions Properly
• Re: Important System Alert – Ref #8864560
• Re: New guest message – Ref: 3779748
• Re: Booking ref XP-2232111 pending
• Re: Partner system update — record 3284891
• Fwd: Message Waiting in Partner Central
• Re: Guest Booking Received via Cloudbeds
• Fwd: Cloudbeds Notification – Premium Double Reserved

Recommendations

User Awareness Training

• Educate hospitality staff on identifying fraudulent booking and commission-related emails
• Conduct targeted phishing simulations using hospitality-themed scenarios
• Train employees to verify urgent system alerts through official platform channels before clicking links

Security Policy Implementation

• Implement multi-factor authentication for all hotel management platform accounts (where possible)
• Establish verification procedures for system alerts received via email
• Create policies requiring staff to access Expedia and Cloudbeds platforms directly through bookmarked URLs rather than email links

Proactive Threat Hunting

• Review URL logs for attempts to access Vercel-hosted domains with hospitality keywords
• Review email logs for messages containing the identified subject line patterns
• Review authentication attempts to hospitality platforms from unusual geographic locations