Hospitality-partner Extranet credential phishing — targets hotel / B&B / vacation-rental staff with Booking.com / Agoda / Expedia / Hotels.com / Airbnb / VRBO Partner Portal impersonation. Urgency hook tailored to the industry: "pending guest message awaiting your reply," "rate parity breach," "reservation dispute," "verify your property," "listing suspension" + a credential-harvesting login link on a non-booking.com / non-partner-central host. Force-multiplier attack: harvested Extranet creds let the attacker log in as the hotel and message guests FROM the real aggregator infrastructure with fake "update your payment method" instructions — each compromised hotel compromises its guests too. Evidence: Sekoia + Secureworks + Akamai + Google Threat Intelligence + Trustwave + Proofpoint 2024-2026 Vampire Bat / Smart Bat campaign coverage; Reuters 2024 hotel-industry reporting

Hospitality-partner credential phishing that targets the staff behind every hotel, B&B, and vacation-rental listing on Booking.com / Agoda / Expedia / Hotels.com / Airbnb / VRBO / Trivago / HRS. The attacker impersonates the partner Extranet (Booking.com), Partner Central (Expedia), Partner Hub, property-manager portal, or host dashboard with a hospitality-industry-specific urgency hook — "pending guest message awaiting your reply," "unread guest message," "rate parity violation," "reservation dispute," "listing suspension," "verify your property," "action required on your extranet" — paired with a credential-harvesting login link on a typosquat host (booking-extranet-login.example, partner-portal-booking.example, booking-com-extranet.example) that is NOT at admin.booking.com / partner.booking.com / booking-partner.com / expediapartnercentral.com / etc. The real danger is the force-multiplier effect documented in the Sekoia (July 2024) + Secureworks + Akamai (October 2024) + Google Threat Intelligence (April 2024) + Trustwave + Proofpoint 2024-2026 Vampire Bat / Smart Bat campaign tracking: once the attacker harvests Extranet credentials, they log in as the hotel and use the real Booking.com messaging integration to send fake "your card was declined, please update your payment method" instructions to the hotel's guests — who then receive a scam email from the genuine Booking.com infrastructure with their real reservation details. Each compromised hotel becomes a springboard for dozens of downstream guest scams. Reuters covered the industry-wide impact in 2024. Distinct from generic credential phishing because it weaponizes the specific partner-portal + messaging architecture of hotel-aggregator platforms. Warning signs: any Booking.com / Agoda / Expedia partner email pressuring immediate Extranet login where the sign-in link is hosted anywhere other than `admin.booking.com` / `partner.booking.com` / `booking-partner.com` / `expediapartnercentral.com`. Go directly to the real Extranet via a bookmarked URL instead of clicking.