Fortinet has posted a blog discussing Google’s launch of the .zip Top Level Domain and the challenges that presents for network defenders. This analysis continues from WaterISAC’s initial reporting on the issue in May, where concerns were raised in regards to the use of .zip to confuse users into clicking on malicious links.

Fortinet observed a variety of responses to the availability of the .zip domain. While some responsible netizens have registered easily abuseable domains such as ‘assignment.zip’ or ‘chatgpt5.zip’ and done nothing with them, other domains such as ‘excelpatch.zip’ and ‘outlook365update.zip’ already host fake Google login pages harvesting credentials. It is also notable that ICS cybersecurity firm, Nozomi Networks has an unknown actor squatting its likeness with a rogue .zip. While the potential for malicious .zip domain activity is high, the article notes that there have been few examples observed in the wild so far. Fortinet recommends that organizations block .zip domains at the firewall, educate users about this new threat, and modify email filtering to block suspicious links. Read more at Fortinet.