The technique is shockingly simple. You send someone a link with a .zip TLD, this link opens what looks like a file archive software (WinRar, 7Zip, etc.). The page could be used to harvest credentials simply by saying the file is encrypted (like some existing phishing emails), or the link to the fake archive could download an executable and run it on the targeted system. The same can be done for .mov domains. Phishing has been on the rise since early 2022 and shows no signs of slowing. By adding new options for phishing attacks like the .zip and .mov domains, Google has opened options for IABs and other groups (as if they needed more options). The new TLDs are added to personalized phishing links that can evade reputation scanning and blocklists as the actual phishing content requires the initial link sent to the target.

Phishing and Smishing (SMS Phishing) have become more sophisticated with attackers using detection evasion techniques to get around most anti-phishing platforms. 2022 saw an increase of over 350% for sophisticated attacks. Attackers are leveraging flaws in Teams to send malicious links and meeting invites to unsuspecting targets. Combined with the used of compromised “legitimate” Microsoft 365 accounts, and restricted permissions message formats, these new TLDs do represent a significant increase in exposure for all organizations. Mitigation for these new threat vectors is either block all .mov and .zip domains from your environment (not a bad idea) or harden existing systems against malicious pivots while increasing security awareness training specifically on these new threats. Personally, I would go with the blanket block on the new TLDs as the likelihood of a legitimate domain popping up with one of these is minimal and that single domain could be added to a safe list if necessary. For personal systems, vigilance and not opening every link or file that comes in is the best method here.