2 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)
Initial Access TA0001
T1078.004Valid Accounts: Cloud Accounts×1
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.
NCSC Switzerland's Week 22 report documents a surge in fraudulent WhatsApp messages abusing real booking data leaked in the April 2026 Booking.com compromise (dates, hotel names, guest names) (NCSC-CH, 2026-06-02). Variant 1 sends a fake refund lure on WhatsApp that redirects to pages spoofing TWINT and Swiss bank portals to harvest card data (T1566.002). Variant 2 is the more dangerous: attackers use compromised hotel booking-system credentials (T1078.004) to message guests through the legitimate booking channel, demanding urgent card re-verification — the message carries the trust of the real platform, defeating the usual "is this sender legitimate?" check. NCSC frames the targets as Swiss hotel-booking customers generally; for a federal SOC, staff who book travel through these platforms fall in the same exposed population (analyst inference).
Why it matters to us: the account-takeover variant breaks user-awareness controls because the lure originates from a trusted booking system, not a spoofed sender — detection has to move to anomalous outbound messaging from booking-platform accounts and to card-data entry on TWINT/bank look-alike domains.
incident04 Jun 05:00Zsingle-source · national CERTOpen finding ↗
NCSC-CH's Week 22 report (4 June; daily 2026-06-04) documents two phishing variants exploiting real booking data leaked in the April 2026 Booking.com compromise: Variant 1 — fake WhatsApp refund lure → TWINT/Swiss-bank-portal credential harvest; Variant 2 — attackers using compromised hotel booking-system credentials to message guests through the legitimate booking channel, demanding urgent card re-verification. Variant 2 breaks user-awareness controls because the message originates from a trusted platform (NCSC-CH). In the same window, a separate upstream booking/channel-management SaaS layer breach exposed guest reservation records (names, contacts, arrival/departure dates) for guests at more than 100 Dutch, Belgian and Irish hotels; criminals are already sending contextually accurate "confirm your reservation" phishing referencing real upcoming stays (DutchNews.nl). The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has opened a GDPR investigation; Art. 33/34 notification clocks are running for each hotel as an independent controller.