Google recently released eight new top-level domains, including .zip and .mov, which are being scrutinized for potential social-engineering abuse due to their resemblance to common file extensions. Netskope Threat Labs notes early abuse signals and urges vigilance, including blocking or inspe cting traffic to mitigate risks. #ZIPDomain #MOVDomain #URLSchemeAbuse #EventDrivenPhishing #NetskopeThreatLabs #Google #Office365
Keypoints
- The .zip and .mov top-level domains can be registered publicly and misused for social engineering because they look like familiar file extensions.
- Attackers may employ URL scheme abuse and domain spoofing (e.g., IDN homographs, typosquatting) to lure victims into clicking malicious links.
- A sample phishing scenario shows a domain such as year-end.zip steering users toward malicious content or credential harvesting.
- Event-driven phishing is highlighted as a tactic, leveraging major events (COVID, tax season) to prompt attachment-based scams.
-
- Recommendations include blocking the .zip and .mov TLDs where possible, inspecting all HTTP/HTTPS traffic, and using remote browser isolation for high-risk sites.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link – Attackers lure victims with a link that appears to deliver a ZIP/MOV file; example: “year-end.zip” domain leading to a malicious site. Bracketed quote: “…the sample malicious email below purports to be HR from a company that sends a “year-end performance review”… the domain “year-end.zip” because anything before the “@” sign is considered user info and that is stripped off by some browsers.”
- [T1583] Acquire Infrastructure – Attackers can register domains that look like compressed files to use them in attacks. Bracketed quote: “And since .zip domains are now available to the public, attackers can register domains that look like compressed files to use them in attacks, like the one we demonstrated above.”
- [T1566.002] Phishing: Spearphishing Link – Event-driven phishing leveraging major events to prompt attachments or file delivery; Bracketed quote: “Combining this strategy with a .zip TLD can be a great tool for attackers, especially for event themes where users expect to receive file attachments.”
Indicators of Compromise
- [Domain] Malicious or potentially abusive domains used for phishing – newdocument.zip, businesscentral.zip, e-mails.zip, 42.zip, microsoft-office.zip, bobm.zip (examples from the article)
- [Domain] Additional observed domains used in Netskope threat monitoring – and 2 more domains mentioned in context
Read more: https://www.netskope.com/blog/zip-and-mov-top-level-domain-abuse-one-month-after-being-made-public