A New Kind of Phishing Attack Targeting Contact Forms
Cybercriminals have found a new way to bypass spam filters and sneak into company networks: by abusing your website’s “Contact Us” form.
This sneaky approach flips the phishing script and makes you the one who initiates the email contact — lowering your guard from the very start.
It’s a bit like this: someone posts flyers around the neighborhood looking for a piano teacher. A local musician calls, thinking they’ve landed a new student. The person sounds genuine — polite, eager, with good questions. After a few conversations, the teacher invites them into his home for the first lesson.
But here’s the catch: they’re not there to learn. While inside, they pocket the spare house keys. They don’t rob the place immediately — instead, they leave quietly, planning to come back later when no one expects it.
That’s the essence of what we might call a “reverse-phish” attack. It’s not an industry term, but a useful way to describe how criminals are turning phishing on its head. Rather than barging into your inbox, they get you to initiate email communication yourself — and then take advantage of the trust you extend.
How This Phishing Attack Works Step by Step
So how does a “reverse-phish” actually unfold? Security researchers have uncovered campaigns targeting manufacturers and other supply-chain businesses that follow this exact pattern. Here’s the anatomy of the attack:
Step 1: Scammer Uses Your Website Contact Form
Instead of sending a phishing email, the scammer submits a message through your company’s Contact Us form. Because it looks like a normal inquiry, it bypasses spam filters and lands directly with your team.
Step 2: Your Team Responds and Starts the Email Thread
This is the flip: your staff replies, thinking they’re handling a legitimate lead. Since you initiated the email exchange, the adversary immediately gains credibility.
Step 3: Attacker Builds Trust Over Time
Over the course of days or even weeks, the threat actor keeps the conversation going. They ask reasonable questions, show interest in your services, and act like a serious prospect or partner. Each reply strengthens the illusion of legitimacy.
Step 4: The Fake NDA Delivers Malware
Eventually, the scammer suggests moving forward with business — but first, they ask you to sign a non-disclosure agreement (NDA). The document, typically a ZIP archive, doesn’t contain a contract at all. It hides malware.
Step 5: Malware Infects the Victim’s System
When opened, the file launches malicious code that runs silently in memory. From here, the threat actor can install a backdoor, harvest credentials, or prepare the network for a ransomware attack.
Step 6: Data Exfiltration and Persistent Access
With a foothold in place, the attacker can move files out of your network, escalate privileges, or maintain long-term access. Like the thief who pockets spare house keys, they may not strike right away — but the damage is already done.
How this Type of Attack is Being Used in the ‘ZipLine’ Phishing Campaign
Security researchers at Check Point have done extensive analysis of one major campaign, which they’ve named “ZipLine.” Their investigation uncovered a wave of phishing attempts aimed primarily at large U.S. enterprises in the manufacturing and supply-chain sectors. While we’re keeping this post high-level, you can find their full technical report here: Check Point Research – ZipLine Phishing Campaign.
The industry breakdown shows that industrial manufacturing was the number one target, but other sectors such as consumer goods, hardware and semiconductors, biotech, and even media were also in the crosshairs.
Although the majority of observed victims were large enterprises, small and mid-sized businesses (SMBs) were also included. And as this attack pattern gains traction and is inevitably adopted by other threat actors, there’s no reason to believe Canadian manufacturers and SMBs are immune. Any organization with valuable intellectual property, supply-chain connections, or sensitive data could find itself on the receiving end of a reverse-phish attack.
Why This Phishing Tactic Works So Well
Phishing campaigns succeed because they prey on human nature — and this twist makes them even harder to spot. Here’s why scammers are finding so much success with this method:
Trust feels earned, not forced
When you reply to a Contact Us inquiry or a business request, it feels like you’re in control. That psychological shift makes the adversary seem more credible right from the start.
The attack moves slowly
Unlike spam emails that demand you click a link immediately, reverse-phish campaigns can stretch over days or weeks. Each polite, professional message builds more trust — lowering defenses with every exchange.
Legitimacy tricks are convincing
Scammers often use real-looking company names, aged domains, and even request standard documents like NDAs. On the surface, everything looks like normal business development.
Technical stealth keeps them hidden
Once the malicious file is opened, the malware typically runs directly in memory, avoiding detection by traditional antivirus tools. Some campaigns use advanced techniques like DNS tunneling for communication, making the attack even harder to trace.
The Business Impact of a Contact Form Phish
When an attacker gains access through a reverse-phish, the damage often extends far beyond a single compromised device. The consequences can ripple across an organization — and even its partners.
Intellectual property theft
Manufacturers and technology companies are especially at risk of losing sensitive designs, formulas, or prototypes. Once stolen, that data can be sold, leaked, or used by competitors.
Supply chain disruption
A single compromised supplier can create a domino effect. If your business is seen as the weak link, partners may suspend connections or require costly additional audits before continuing to work with you.
Ransomware staging
Reverse-phish malware often acts as a backdoor. Once inside, attackers may escalate privileges, move laterally, and eventually deploy ransomware — locking down production systems and data until a ransom is paid.
Reputational damage
Explaining to clients, investors, or partners that your network was breached because of a simple contact form exchange is a tough conversation. The loss of trust can last long after systems are restored.
How Businesses Can Protect Themselves from Phishing Through Contact Forms
The good news is that while reverse-phish attacks are clever, they’re not unstoppable. A mix of awareness, process, and technology can go a long way toward reducing the risk.
1) View Contact Us Forms as Worthy of Scrutiny
Treat inbound website forms as part of your security surface, not just a marketing tool. Train staff to handle every new inquiry with caution, following procedures to verify unfamiliar senders. This helps close the door on attackers who try to use trust and routine business practices as their entry point.
2) Use secure document-sharing platforms
Instead of trading files through email, use e-signature or secure file-sharing tools. These platforms add a layer of validation and reduce the chance of malware slipping through.
3) Strengthen endpoint protection
Deploy advanced endpoint detection and response (EDR) such as ThreatLocker to spot in-memory malware, unusual PowerShell activity, or DNS tunneling attempts — tactics often used in these campaigns.
4) Add filtering and sandboxing for attachments
Email security gateways with sandboxing can automatically detonate and analyze suspicious files, including ZIP archives, before they reach an employee’s inbox.
Key Takeaway: Don’t Be the One Who Opens the Door
The piano lesson analogy reminds us how easily trust can be misused. Just as a thief poses as a student to pocket spare keys, cybercriminals can pose as prospects through your Contact Us form and use that trust to slip malware into your systems.
Phishing has always relied on deception, but the reverse-phish shows just how creative attackers have become. They don’t need to break in — they wait for you to open the door.
The takeaway is simple: treat every new inquiry as part of your security surface. With the right training, clear processes, and modern security tools, you can stay open for real business opportunities while keeping the criminals out.
Ready to strengthen your defenses against this evolving threat?