The Gist
One click on “Contact Us” was all it took. The ZipLine manufacturing phishing attack flipped the script—tricking U.S. manufacturers and supply chain–critical companies into initiating contact with attackers.
These weren’t broad, opportunistic scams but targeted intrusions aimed at enterprises for their financial value and smaller firms for their weaker defenses.
The takeaway? Whether large or small, any business that relies on vendors is exposed—the supply chain has become the front door for cybercrime.
How Manufacturing Phishing Attacks Work
Check Point Research revealed that this wasn’t your typical spray-and-pray phishing campaign. Instead, attackers initiated the attack by submitting contact requests through company websites, tricking their targets into continuing the conversation via email.
From there, they invested heavily in building their perceived credibility with the victims by:
- Using professional dialogue and business-like requests for NDAs.
- Leveraging cloned websites connected to aged domains that slipped past filters.
- Playing the long game, exchanging back-and-forth messages over days or weeks.
Once trust was firmly established between the attackers and target organizations, they delivered a malicious ZIP file containing MixShell, a stealthy in-memory implant designed to grant attackers persistent access.
But MixShell was only the payload. What made Zipline effective was the trust attackers built by impersonating vendors and suppliers. the same tactic that often escalates into manufacturing phishing attacks that turn into financial fraud.
- Urgency: Attackers claimed shipment delays or business issues to pressure targets into acting fast.
- Authority: By impersonating trusted logistics providers, they appeared legitimate.
- Vendor trust: By posing as business partners, they exploited manufacturers’ reliance on routine supply chain communication.
Why does this work so well? Because phishing has become nearly indistinguishable from legitimate business communications. As highlighted in Trustmi’s AI, Cybersecurity & The New Era of Fraud web series, even the best email filters and employee training can fail once a trusted vendor is impersonated.
For example, Curtis Simpson, CISO at Armis, warned that “spear phishing is still incredibly problematic,” and once a trusted vendor account is compromised, “email security generally just does not apply,” even when paired with top email security solutions.
Beyond Malware: Trustmi’s Take
While Zipline stopped at malware, other attackers have gone further. As we covered last year in a blog about rising BEC manufacturing attacks, companies like Orion and Toyota Boshoku lost tens of millions of dollars after falling victim to vendor impersonation schemes. It shows how the same tactics used to build trust in phishing campaigns often escalate into outright payment fraud.
Manufacturing is especially vulnerable for a few key reasons:
- Focused targeting: As The Hacker News noted, Zipline’s selective targeting shows attackers are honing in on industries critical to the supply chain.
- Complex vendor networks: Global supply chains consist of thousands of vendors, each a potential entry point.
- Isolated teams: The bigger the company, the more vendors, and the more siloed the teams managing vendor transactions. The recent Trustmi 2025 Socially Engineered Fraud & Risk Report highlighted how those silos increase vendor fraud risk.
Attackers often recycle these same tactics into payment fraud, including faked invoices, altered bank details, and impersonated suppliers.
This is what makes Vendor Email Compromise (VEC) so damaging: it’s not about a single phishing email, but about undermining the trust that keeps supply chains moving. Malware may be one outcome, payment fraud another—but in every case, manufacturing phishing attacks exploit vendor trust as bait.
Want to see how attacks like this escalate from malware to multimillion-dollar fraud? Watch our webinar on vendor risk and supply chain fraud to learn what finance and security leaders in manufacturing need to know.
