Hackers Exploit “Contact Us” Forms In Phishing Campaign

Check Point Research (CPR) has identified a new phishing campaign known as ZipLine which reverses traditional scams by forcing the victim to start the conversation.

CPR explains that unlike normal phishing attacks, where hackers initiate contact, this new campaign lures in victims through company “Contact Us” forms.

“In every case, it was the victim who initiated the email exchange that ultimately led to infection,” said CPR. With this method the attackers fabricate legitimate-looking interactions, helping them evade detection.

The hackers engage in email chats spanning for weeks sometimes,  pretending to be business partners, and even requesting companies to sign Non-Disclosure Agreements. Eventually, the attackers send a malicious ZIP file through Heroku which operates as a genuine cloud platform. However, inside the file it embedded a fake PDF or Word file, along with a hidden shortcut file that stealthily launches malicious code.

That code then installs MixShell, a powerful backdoor that lets attackers steal files, run commands, and even act as a proxy inside the victim’s network. CPR noted, “MixShell supports file operations, reverse proxying, command execution, and pipe-based interactive sessions.”

In recent cases, CPR reports that hackers used an “AI transformation” theme, pretending to run an “AI Impact Assessment” for company leadership. The email asks employees to fill out a short questionnaire, which CPR notes is another tactic to build trust.

The attackers also use domains linked to old U.S. businesses, many of which appear abandoned but still look legitimate. Their targets range from small firms to Fortune 500 companies, especially in manufacturing, aerospace, consumer electronics, and energy.

According to CPR, “This campaign reflects the evolving tactics of advanced phishing campaigns.” Security experts warn that even basic website forms, if left unchecked, can open the door to highly damaging cyberattacks.