Phishing Threat From New .zip Top-Level Domain

Share :

On Wednesday, May 3, 2023, Google introduced eight new top-level domains (TLD) available for purchase and that could be used with websites and/or email addresses. From these eight new TLD’s, one that stands out as a potential security risk is .zip.

The .zip  TLD is concerning since it is also used as an extension of files commonly shared over the internet. With the inclusion of .zip  as a domain, email clients and web platforms will now accept URLs disguised as filenames with .zip extensions. A threat actor could theoretically purchase a .zip  domain with the same name as a commonly used filename, such as “ “, and have a victim mistakenly visit the site during a phishing campaign to download malware. 

Arctic Wolf has identified some .zip domains being abused for successful phishing campaigns leveraging popular office software suite filenames already. Based on tactics, techniques, and procedures (TTPs) we’ve seen in phishing campaigns in the past, we expect more threat actors will continue to use these TLD’s for their phishing domains in the near future.  

Arctic Wolf has multiple detections in place for suspicious activity on email accounts associated with phishing. We continue to actively monitor for tactics, techniques, and procedures (TTPs) associated with campaigns that may arise from these TLD’s. 


When it comes to preventing phishing or other forms of social engineering attacks, the most important factor is awareness and knowledge. If your users are aware that these types of attacks exist, they may be less likely to become a victim of them. 

Recommendation #1: Block ZIP TLD’s at your Organization 

Arctic Wolf strongly recommends assessing the need for allowing access to .zip TLDs in your organization. If your organization does not have a business need for accessing or using these new TLD’s, consider blocking them at the Network Firewall, DNS, or Web Proxy level and allowlist domains on an “as-needed” basis.  

Recommendation #2: Provide User Awareness Training 

Provide tailored user awareness training to all employees around phishing campaigns and social engineering attacks.  

  1. Ensure users know how to identify a phishing email and where to report it. 
  2. Provide examples on what users could expect and remind users to remain vigilant when receiving an email from an unknown or external source. 
  3. Be wary of messages that create a sense of urgency and ask you to do something quickly. 
  4. Be cognizant that threat actors may use personal social media accounts or text messages to contact you. 
  5. Review policies for verification of any changes to existing invoices, bank deposit information, and contact information. 


Picture of James Liolios

James Liolios

James Liolios is a Senior Threat Intelligence Researcher at Arctic Wolf, where he keeps a watchful eye on the latest threats and threat actors to understand the potential impact to Arctic Wolf customers. He has a background of 9 years' experience in many areas of cybersecurity, holds a bachelor's degree in Information Security, and is also CISSP certified.
Share :
Table of Contents
Subscribe to our Monthly Newsletter