Suspicious emails remain effective, but the danger they pose is being combated from all sides. The same cannot be said for contact forms, a loophole that the ZipLine campaign exploits.
Check Point Research discovered the campaign in question. Attackers pose as potential business partners of legitimate organizations. Instead of sending suspicious emails, they use contact forms to initially establish contact with targets.
This is followed by a carefully planned email conversation that takes about two weeks. Ultimately, criminals share a confidentiality document, which is common practice in many industries. However, this file contains MixShell malware that uses DNS tunneling to remotely influence endpoints without being detected.
Tip: Healthcare sector hit hard by cyberattacks, phishing on the rise
According to Sergey Shykevich, Threat Intelligence Group Manager at Check Point Research, the campaign shows that patience and social engineering are still effective tools. “ZipLine is a wake-up call for any company that thinks phishing is just about suspicious links in emails.”
Supply chains under pressure
The targets are mainly American manufacturing companies, but also sectors in Europe and Asia such as aerospace, energy, and biotech. As usual, the consequences can extend beyond individual organizations. After all, supply chains are large, and partners often have data from others that can be stolen.
Check Point Software emphasizes that contact forms and collaboration tools should be seen as potential attack vectors. Training employees, especially in supply chain and procurement, to recognize multi-channel phishing is crucial. Security training sessions are likely to become longer, even though the warning signs themselves are often the same.
AI hype as a weapon of attack
A second wave of ZipLine emails is being sent by the attackers as internal AI impact assessments, supposedly requested by management. Employees are asked to complete a short questionnaire about the potential impact of AI on their workflows.
The criminals behind ZipLine go beyond one-off phishing attempts. They create fake websites for companies they impersonate and sometimes imitate legitimate US-registered companies.
Companies can prepare
Effective defense requires expanding monitoring to everyday communication channels, according to Check Point Research. Verification of new business contacts via independent sources such as telephone and LinkedIn is recommended.
Security tools must thoroughly inspect ZIP archives and attachments. The MixShell malware uses advanced techniques such as DNS tunneling and HTTP fallback to execute remote commands.
Shykevich concludes that ZipLine provides a blueprint for the development of cybercrime. By using everyday business processes and business trust as weapons, attackers prove that social manipulation remains a powerful tool against well-secured organizations.