Travel Policy Update Phishing Email Impersonating Corporate Operations

Employees who frequently travel received phishing emails on 11 April 2026 impersonating a travel policy update; the messages used the sender operations@travel-policydesk.com and linked to https://corp-travel-policy.com/review, which prompted corporate credential sign-in and captured submitted credentials. Compromised accounts were subsequently leveraged to send additional internal phishing messages, indicating internal propagation and active credential theft. Observed indicators include the sender, URL, theme, victim profile, and compromised account behavior.