Dear Customer,
Last month, we published a Mews Community post to inform customers about a phishing campaign targeting hospitality providers, including some Mews customers, which began in early November 2025. While mitigation efforts continue at Mews as well as across the industry, this campaign is still active.
This follow-up post provides an update on how the campaign has evolved and outlines what you can do to continue protecting your business and your guests.
If you have questions, concerns, or believe your property may have been affected, please contact Mews Customer Support via the Mews Digital Assistant (How to submit a support ticket in Mews Operations) or our critical support phone line (Contact Mews | Get in touch with us).
For customers with dedicated technical or security teams, we have included an optional appendix containing indicators of compromise (IOCs). These can help you identify and block potentially malicious activity within your own environment.
Please be assured that the Mews Product Security team continues to actively monitor this threat and take appropriate measures to protect the Mews platform, our customers, and their guests.
What’s changed since our previous update
In the previous post we described a phishing campaign that relied primarily on cloned Mews login pages promoted through sponsored search results. While that attack vector is still observed, we have since identified a notable shift in attacker behaviour.
Over the past several weeks, attackers have moved to a more direct approach by contacting Mews customers via email.
How the phishing campaign currently works
Previously, attackers cloned the legitimate Mews login portal and used paid advertisements to redirect users to these fake pages. Victims who entered their credentials and one-time authentication codes unknowingly provided attackers with full account access.
(See Recent Phishing Campaign Targeting Mews Customers – Part I for background.)
We are now seeing attackers send phishing emails directly to Mews customers. While the messages vary in wording, they consistently attempt to create urgency often claiming that the recipient’s account will be restricted unless immediate action is taken.
These emails contain links that redirect users to a fraudulent login page designed to closely mimic the legitimate Mews login experience. Credentials entered on these pages are captured and used for account takeover.
Malicious senders and URLs
A third-party Brand Protection service continuously monitors and works to remove malicious domains impersonating Mews. These fake login portals are visually indistinguishable from the legitimate page; the URL is often the only observable difference.
For customers with technical or security teams, we have included a list of known malicious email senders and URLs in the appendix. Please note that new domains and senders may emerge over time; identified infrastructure is taken down as quickly as possible once detected.
MFA usage on affected accounts
All compromised accounts investigated so far were protected with authenticator-based multi-factor authentication (MFA).
While MFA significantly reduces risk, one-time authentication codes are not phish-resistant. Attackers can intercept these codes in real time using the techniques described in this post series.
To further strengthen account protection, Mews strongly recommends adopting phish-resistant authentication methods, such as:
-
Magic links (email-based authentication)
-
Passkeys
-
Single Sign-On (SSO)
How Mews is detecting and responding
The Mews Product Security team uses a layered security approach, including an advanced Security Information and Event Management (SIEM) platform with both static and machine-learning-driven detection logic. This enables the identification of suspicious behaviour across the platform.
In parallel, Mews is working closely with authorities, hosting providers, and other relevant parties to disrupt the infrastructure used by this threat group.
Scope of the campaign
This activity is not isolated to Mews. It is part of a broader, coordinated campaign targeting the hospitality sector. Organizations relying solely on authenticator-based MFA appear to be the most affected.
What you can do now to reduce risk
We strongly recommend the following actions:
-
Adopt phish-resistant MFA, such as magic links, passkeys, or SSO.
-
Bookmark the correct login URL (
https://app.mews.com) and do not use search engines to access login pages. -
Audit user accounts and remove unnecessary or excessive privileges.
-
Enable Trusted Devices in Hard Device Authorization mode.
-
Educate employees to recognize and report suspicious emails, advertisements, and websites.
Please note: the Mews Product Security team will never contact customers directly.
If you need assistance implementing these measures, contact Mews Customer Support via the Mews Digital Assistant.
Other potential attack vectors
At the time of publishing, we are not aware of additional attack vectors beyond those described in this post. However, if you believe you have encountered suspicious activity not covered here, please report it to Mews Customer Support so it can be investigated further.
Appendix: Indicators of Compromise (IOCs)
(Optional for customers with technical/security teams)
Use these to block or monitor suspicious activity where possible. Report any relevant findings to Mews Customer Support.
URLs
-
hxxps://calendly[.]com/url?q=https%3A%2F%2Ft.co%2FeY7L5QOtVD&user_uuid=4280b71e-70c1-40a5-a362-b31a424f16e5&stage=1&hmac=92561f4824cc6340c03b60bbc6c8b615588cf067b2efaf0d7d0c49270c1b5885
-
hxxps://t[.]co/eY7L5QOtVD
-
hxxps://mews-ams[.]github[.]io/link/
Domains
-
app[.]c1-mews[.]com
-
login-mews[.]com
-
app-mews[.]com
IP Addresses (IPv4)
-
154[.]81[.]194[.]133 (Host Telecom Ltd, NL)
Email Addresses:
-
security[@]login-mews[.]com
-
security[@]app-mews[.]com
Email Subjects:
-
[Mews] Account Confirmation Required – Action Needed
