Google's .zip Top Level domain is already used in phishing attacks

Martin Brinkmann
May 15, 2023
Updated • Apr 14, 2024

Google released the top-level domain .zip to the public recently, which means that interested organizations and users may register .zip domains. Cyber criminals are already using .zip domains in phishing campaigns.

According to the SANS Internet Storm Center, about 1230 names have been registered so far. The top level domain was approved in 2014 but it took Google until May 2023 to unlock it for public registration alongside seven other domain extensions.

It seems that Google has reduced the registration price to $15 per year for a .zip domain last week, which appears to be less than halve the previous price. The price drop appears to have increased interest for .zip domains, and some new registrations are already used in phishing campaigns.

The .zip extension allows cyber criminals to run phishing campaigns that abuse the fact that .zip is a popular file extension and also a top level domain.

Domains such as or have already been used in phishing campaigns. The latter is still online but safe browsing should warn users prior to accessing the site in question. Several of the registered domains could be used in phishing campaigns, while others may be used for legitimate purposes. The makers of archiving software might register a matching domain name for their products.

Most of the registered domains have not been set up to display web content. The message "the site can't be reached" or similar messages are displayed in this case.

The Microsoft phishing site displays a Microsoft sign-in prompt when it is accessed. Users should never see the page, but if they override the warning message, should not enter any data on the page.

microsoft phishing zip

Use in phishing campaigns is just one new option that cyber criminals have when it comes to .zip domains. Some applications may attach hyperlinks to ZIP file names now, which may lead to the firing of DNS queries and the leaking of information to the .zip domain.

The ICSS recommends to disable access to .zip domains entirely until the dust settles and risks can be accessed. Internet users need to take a closer look at .zip links and zip file extensions that may also be displayed as links in some applications.

For now, there is little reason to access .zip domains; this may change if legitimate companies and software developers announce that their products are now also available on a specific .zip domain.

Another one of Google's recently launched new top level domains might cause similar issues. The top level domain .mov is also available for public registration, and it too is also a file extension, albeit not as popular as .zip.

Now You: do you access sites that use newer top level domains regularly?

Google's .zip Top Level domain is already used in phishing attacks
Article Name
Google's .zip Top Level domain is already used in phishing attacks
Google's .zip top level domain has been opened up for public registration, and criminals are already using .zip sites in phishing campaigns.
Ghacks Technology News

Previous Post: «
Next Post: «


  1. Anonymous said on May 18, 2023 at 7:03 pm

    Google’s motto went from “Don’t be evil” to “Evil is good”

  2. Tom Hawack said on May 15, 2023 at 6:57 pm

    I already block several gTLDs and visit regularly ‘Spamhaus – The Top 10 Most Abused TLDs’ at []

    For deeper information regarding TLds and gTLDs I visit ‘IANA – Root Zone Database’ at []

    I’m adding .zip and .mov gTLDs to my DNS blocklist. I’ll maybe add ‘Google’s 101 originally applied for strings, separated by contested and non-contested’ available at []

    Any gTLD using a file extension is relevant of its owners’ questionable integrity in my view. Corroborates my extreme caution when it comes to Google.

    1. Pablo W. said on May 16, 2023 at 10:31 pm

      “Any gTLD using a file extension is relevant of its owners’ questionable integrity in my view. Corroborates my extreme caution when it comes to Google.” <– Ditto that!

      I'm using Firefox extension 'Block Site' where I added *.zip and *.mov for blocking. Works great! Easy to test too.

  3. Tony said on May 15, 2023 at 6:00 pm

    I already have them blocked on our network. Thanks for the heads up.

  4. John G. said on May 15, 2023 at 3:02 pm

    One of the worst ideas by Google! Next idea will be the domain .Trojan, LOL.

    1. Andy Prough said on May 16, 2023 at 11:19 pm

      How about .doc, .xls, .pdf, and .msg, John G.? Those would be real winners. Or .jpg, .gif, and .bmp.

      1. Amat said on May 23, 2023 at 9:28 pm

        They do already have .phd which i immediately misread as .pdf because i wasn’t paying enough attention.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.