A new phishing campaign smuggled tech-support scam lures into corporate inboxes by hiding them inside genuine Airbnb notification emails. The messages slipped past commercial email-security stacks that scored each one as clean, according to research published on June 1 by Ocean Security.
From a technical standpoint, the emails were real. They carried a valid DKIM signature from email.airbnb.com, passed DMARC against Airbnb’s strict reject policy, and came from Airbnb’s own transactional infrastructure. There was no URL to click and no attachment to detonate. The only attacker-controlled text was a single line rendered into a legitimate Airbnb template.
The attack exploited Airbnb’s listing name field. An attacker created a free Airbnb host account and set the property-name field to the phishing pretext, a fake payment confirmation with a callback number.
Because Airbnb’s notification system treated that field as trusted inventory data and rendered it directly into the message body without validation, the platform itself generated and signed the malicious message.
A Dedicated Relay Built for Each Victim
Rather than blasting one message to many targets, the operator built a separate delivery rail for every enterprise victim.
Each victim’s Airbnb account used a disposable iCloud address as its contact email; inside iCloud, a server-side mail rule auto-forwarded every notification to a dedicated GMX account, which re-emitted it to the target through GMX’s high-reputation servers. One iCloud and one GMX account per victim, with no reuse.
Because both iCloud and GMX performed plain, body-preserving forwards, Airbnb’s original signature stayed valid through every hop.
By the time a message reached a corporate gateway, the authentication math came out perfect, and Airbnb’s reject policy was toothless because nothing was actually being spoofed.
Why Authentication Misses It
The campaign exposed a blind spot in authentication-based defense. SPF, DKIM, and DMARC confirm a message came from where it claims and was not altered in transit.
They say nothing about whether a trusted sender’s own templates have been weaponized to carry a payload, and a threat-intelligence lookup returned nothing because the components were fresh and legitimate.
For defenders, passing authentication is not the same as being safe. Detection must extend to content and behavior, flagging the hallmarks of callback phishing such as an unsolicited payment confirmation paired with a phone number, however clean the sender’s credentials look.
The one element reused across every victim was the callback number, making it the campaign’s most useful detection anchor.
