A recent report from Check Point Research uncovered Zipline, a phishing campaign that fuses subtle, patient social engineering with stealthy in-memory malware, together enabling attackers to slip past traditional defences and manipulate human behaviour on a wide scale.
How did they do it, and who was targeted?
A typical phishing attack relies on unsolicited emails, but Zipline, on the other hand, flipped the script completely. The attackers instead used a company’s own “Contact Us” web form, prompting a reply from the target. If successful, this marks the beginning of multiple professional email exchanges spanning several weeks, filled with fake NDAs and proposals, all in the hopes of establishing the trust of the target. Once this is done, the malicious ZIP file is sent carrying a .LNK file. This launches a PowerShell loader and delivers MixShell, an in-memory implant using DNS tunnelling for covert communication.
Checkpoint found that more than 80% of the identified targets in this campaign are based in the United States, underscoring a clear geographic concentration, while also companies in Singapore, Japan, and Switzerland were targeted. The majority of the targeted companies are in industrial manufacturing (46%), but also affected industries including hardware & semiconductors (18%), consumer goods & services (14%), and biotech & pharmaceuticals (5%). Due to this distribution in sectors, Checkpoint determined that the attackers tried to seek entry points across wealthy operational and supply chain-critical industries.
Why does this Method Work So Well?
Tim Ward, CEO and Co-Founder of RedFlags, shared his in-depth knowledge on the topic and focused on how human psychology comes into play…
“Impressive, and worrying, research from Check Point on the ZipLine campaign. What makes this so effective isn’t just the tooling (in‑memory payloads, DNS tunnelling) but the way it exploits how people think:
There is a lot of psychology at play in why this works:
- Authority & legitimacy bias, formal entry via a “Contact us” form, and an NDA request create a veneer of legitimacy.
- Commitment & consistency / sunk‑cost effect, multi‑week professional exchanges make people feel invested and less likely to challenge a late‑stage ZIP request.
- Reciprocity, they start the conversation so you feel obliged to respond/help.
- Fluency & familiarity, polished language, sector jargon, and an “AI Impact Assessment” pretext feel normal and current.
- Normalcy bias, long, routine back‑and‑forth lowers suspicion—“it’s just another vendor thread.”
- Urgency & framing, the NDA / AI‑programme framing implies time sensitivity and internal endorsement.
Attackers continue to refine people‑centred attacks, so our defence has to be people‑centred too. Lengthy annual training doesn’t cut it.”
Many of these points have both real-life and theoretical backing. Take, for example, the sunk cost effect that was first found by Harold Arkes and Catherine Blumer. Together, they found that people have the tendency to continue an endeavour as a result of previously invested resources, even when those investments cannot be recovered.
So imagine you just spent weeks building this professional relationship, countless emails sent back and forth, all resulting in a lot of time and effort spent that can never be recovered. This personal investment now causes people to be emotionally invested, and when that final malicious ZIP file comes through, not clicking it would seem like a missed opportunity. Which is, in fact, exactly why the sunk cost fallacy works so well, as it’s based on the idea of “loss aversion”. This is the phenomenon of people feeling the pain of a loss more strongly than the pleasure of an equal gain.
What’s The Takeaway Here?
This Zipline attack highlights a key truth that the industry most often learns the hard way. People remain the softest attack surface. As a society, we value trust highly; all businesses are dependent on it, but that is exactly why, when it lands in the wrong hands, the results can be catastrophic. While advanced threat detection is essential, the sheer success of this phishing attack promotes just how important continuous, behaviour-aware security education is.
However, the blame shouldn’t always lie with the individual. Security leaders should also rethink policies around contact form workflows, NDA processes, and late-stages ZIP file approvals. This, paired with context-aware email security that flags suspicious behavioural patterns over time, can ensure that more attackers can’t zip away with your sensitive data.
