Security

When Trust Becomes a Weapon: Government Leaders Face Evolving Phishing Attacks

ZipLine, discovered by Check Point Research, demonstrates how hackers can use an organization’s inbound contact channels against them.

Mac Avancena

Mac Avancena is CISO, Americas, at Check Point Software.

Phishing isn’t what it used to be. Unsophisticated, typo-riddled, non-branded and non-personalized messages are gone. Instead, cyber criminals are evolving, adopting patient, sophisticated social engineering tactics designed to slip past traditional defenses and exploit the trust that underpins business relationships. They’re exploiting the very thing that keeps government moving: trust.

One campaign that stands out is ZipLine, discovered by Check Point Research. It’s an advanced social engineering operation targeting U.S. manufacturing and companies critical to the supply chain. What makes ZipLine so dangerous is not only its technical sophistication, but also its reversal of the phishing flow, flipping the script on how attackers engage with their victims. Turned against the public sector, it would pose a massive risk to government organizations.

Click the banner below for deeper insight into the state of cybersecurity.

ZipLine Works by Letting the Victim Make the First Move

Traditional phishing begins with unsolicited emails sent en masse. ZipLine takes the opposite approach. Attackers first initiate contact through an organization’s public “Contact Us” form, tricking employees into thinking they are engaging with a legitimate business inquiry. This approach poses a significant risk to state and local agencies that have public-facing online forms — which means most of them.

This simple but clever tactic forces the victim to make the first move, sending their initial email back to the attacker. From that moment on, the conversation appears more authentic and bypasses reputation-based security filters designed to catch suspicious inbound emails.

Professional Conversations, Staged Over Weeks

Unlike typical one-and-done phishing attempts, ZipLine attackers play the long game. They invest days or even weeks in building credibility through professional email exchanges. In some cases, they use the NDA signing step as the ultimate lure, after weeks of conversation.

That final step is where the trap is sprung: The attacker delivers a malicious ZIP file containing both benign documents such as the NDA and a weaponized shortcut file. When clicked, it unleashes custom malware that uses DNS tunneling and HTTP fallback to maintain stealthy, persistent control of infected systems.

Riding the AI Wave

ZipLine doesn’t stop there. In a second wave of attacks, researchers observed phishing lures disguised as internal “AI Impact Assessments.” Framed as questionnaires on how artificial intelligence could improve efficiency and reduce costs, these messages tap into business buzz to increase credibility. While researchers did not recover malware from the AI-themed samples analyzed, the attackers’ infrastructure reuse suggests the same staged ZIP delivery model was likely in play.

This blending of social engineering with current technology narratives highlights the attackers’ growing sophistication. They are watching the same headlines we are — and adapting their lures accordingly.

Supply Chains Are in the Crosshairs

ZipLine has primarily targeted companies critical to the U.S. manufacturing and supply chain ecosystem, both of which directly influence the nation’s critical infrastructure. The consequences of compromise in this sector are serious:

Intellectual property theft and ransomware attacks could halt production and erode competitiveness.
Financial fraud through stolen credentials, account takeovers or business email compromise could cause major losses.
Supply chain disruptions could ripple across industries, delaying delivery of essential components and impacting national resilience.

In short, campaigns such as ZipLine threaten not just individual companies but the broader economy, critical infrastructure and national security.

SUBSCRIBE: Sign up for the StateTech newsletter for weekly updates.

Cyber Defenders Must Cover All Their Bases

The sophistication of ZipLine underscores several important lessons for defenders:

Expand monitoring of inbound channels: Contact forms, collaboration tools and messaging platforms must be treated as potential entry points.
Educate employees: Procurement, partnerships and supply chain staff are often the first line of contact with new vendors, making them prime targets for long-form social engineering.
Enhance due diligence: Verify new vendors or business contacts through independent sources such as phone calls or LinkedIn before sharing sensitive files.
Harden attachment and link inspection: Ensure security solutions can analyze archive contents and detect malicious scripts.
Defend against account takeover and BEC: Enforce multifactor authentication and monitor for unusual login behavior.

DIVE DEEPER: DRaaS is redefining cyber resilience.

The Bigger Picture: Layered Security Is Mandatory

Phishing has always been about deception, but campaigns such as ZipLine show just how far that deception has evolved. By flipping the phishing playbook — making victims send the first email, sustaining professional exchanges and leveraging timely AI narratives — attackers are weaponizing trust itself.

For public-sector entities, the stakes are higher than ever. Cybersecurity is no longer just about protecting data; it’s about protecting business continuity, civic well-being, economic competitiveness and national security.

The lesson is clear: Phishing is evolving, and so must our defenses. Government organizations and other entities need to anticipate that any inbound channel can be exploited, and they must invest in proactive, layered security to stay one step ahead.

Just_Super/Getty Images