ZipLine is a long-term phishing scam that mainly targets U.S. companies, especially in manufacturing and in other high-value industries. The attackers start by filling out a company's online "Contact Us" form, so it looks like the business relationship begins normally. Then, the attackers and the company trade emails for up to two weeks while the attacker pretends to be a potential partner. Eventually, the scammers send a ZIP file they claim is an NDA or other business document.
Inside that ZIP file are authentic-looking documents plus a hidden shortcut file that, when opened, secretly runs malicious code and installs a backdoor on the victim's computer. This backdoor hides in memory, sets itself to run again whenever Windows starts, lets the attackers run commands, move files, and even quietly connect into internal systems over the internet.
To appear trustworthy, the attackers host files on well-known cloud services and use old business-style website addresses, some tied to real or former U.S. companies, backed by look-alike websites with copied content and stock photos.
The operation focuses on stealing valuable information and gaining access to company networks. Even simple channels like web forms and normal-looking email conversations can be abused to bypass traditional email security that only checks single messages.
Source: https://research.checkpoint.com/2025/zipline-phishing-campaign/
Commentary
ZipLine-style schemes exploit trust, patience, and routine business processes rather than obvious technical gaps, so loss prevention efforts must treat inbound communications - especially through "Contact Us" forms and unsolicited partnership inquiries - as potential initial access points rather than as inherently low risk.
Organizations should set clear rules that no new or unknown external party can move from a web-form inquiry to document exchange without verification steps such as independent callback using a phone number found on a trusted directory, domain, and website vetting by security or compliance, and manager approval before any files are opened or shared. This is especially important when the discussion suddenly introduces NDAs, questionnaires, or "AI impact assessments" tied to strategic initiatives.
A core control for preventing these attacks is a strict policy against opening or executing zip files or shortcut-like attachments received from unknown or lightly known senders, regardless of how legitimate the business pretext appears.
Staff must be trained that a convincing conversation over days or weeks does not equal validation, and that any request to open compressed attachments, shortcut files, or "self-contained" documents from a party that has not been formally onboarded as a vendor, client, or partner should be treated as a security incident and reported, not accommodated.
Loss prevention programs should require that all external file sharing be done through vetted channels and formats: for example, prohibit zip archives in initial exchanges, insist on view-only links from approved cloud platforms, and mandate that any zipped content be scanned in a controlled environment by security before it is made available to end users.
Email security and web filtering tools should be tuned to flag or quarantine zip archives and shortcut files associated with business pretexts like NDAs or AI projects, particularly when they are delivered via generic cloud hosting services or recently repurposed business domains whose web content is sparse, templated, or inconsistent with their claimed industry.
Finally, loss prevention leaders should ensure that incident response plans explicitly cover instances in which a user has opened a suspicious zip or run a file from an unverified party.
