A new phishing technique that exploits “file archiver in the browser” to deceive unsuspecting users is being exploited in the wild. The attackers are leveraging .ZIP domains to carry out their malicious activities, enhancing the effectiveness of their social engineering campaigns by simulating file archiver software within a web browser, thus creating a convincing facade.

Here are three important details to provide you with further context:
  • When a user clicks on a link, their browser attempts to open the website https://setup(.)zip. Depending on how the site is configured, a number of outcomes may result: The site might be displayed properly, redirect the user to another site, display an HTML page, or prompt the user to download a file.
  • As with most malware delivery or phishing campaigns, attackers rely on convincing users to open a file. These attackers may employ different social engineering techniques to manipulate users into engaging with malicious content. Therefore, we must always be on guard.
  • Windows has a specific behavior where the operating system attempts to open a file with a .ZIP extension if the file cannot be located. Because of this, malicious sites may be able to trick users into thinking that they are visiting a legitimate site by naming their files with the same names as common files, such as “important_documents.zip.”

To protect yourself, consider the following steps:

Exchange Admin Center: Block a Top-Level Domain (TLD) in the Exchange admin center by creating a rule to block messages containing .ZIP attachments.

  1. Log into your admin.microsoft.com
  2. Click Show all
  3. Click Exchange
  4. Click on Mail flow and then Click Rules
  5. Click on Add a rule and then choose Create a new rule
  6. Enter a name for the rule.
  7. Under Apply this rule if select The sender, and in the box next to it select address that matches any of these text patterns
  1. Enter \.zip$ in the specific words or phrases field and then Click Add
  2. Click Save
  3. For Do the following, choose Block the message, and in the box to the right, Choose to delete the message without notifying anyone
  4. Click Next
  5. Click Next in Set rule settings
  6. Review your settings and then Click Finish
  7. Lastly, click on the new rule to Enable it

Email Filtering: If your email service supports attachment blocking, configure it to block incoming emails containing attachments or links associated with .ZIP domains. Implementing this measure will reduce the risk of users falling victim to phishing attempts that target this technique.

Web Filtering: Administrators should deploy robust web filters to prevent users from accessing websites with .ZIP domains. This restriction can minimize the likelihood of users unknowingly visiting malicious sites and being exposed to potential threats.

If you need help implementing these measures, contact us for further assistance.