Zipline Manufacturing Phishing Attacks Exploit Supply Chain Trust

The Gist

One click on “Contact Us” was all it took. The ZipLine manufacturing phishing attack flipped the script—tricking U.S. manufacturers and supply chain–critical companies into initiating contact with attackers.

These weren’t broad, opportunistic scams but targeted intrusions aimed at enterprises for their financial value and smaller firms for their weaker defenses.

The takeaway? Whether large or small, any business that relies on vendors is exposed—the supply chain has become the front door for cybercrime.

How Manufacturing Phishing Attacks Work

Check Point Research revealed that this wasn’t your typical spray-and-pray phishing campaign. Instead, attackers initiated the attack by submitting contact requests through company websites, tricking their targets into continuing the conversation via email.

From there, they invested heavily in building their perceived credibility with the victims by:

• Using professional dialogue and business-like requests for NDAs.
  
• Leveraging cloned websites connected to aged domains that slipped past filters.
  
• Playing the long game, exchanging back-and-forth messages over days or weeks.
  

Once trust was firmly established between the attackers and target organizations, they delivered a malicious ZIP file containing MixShell, a stealthy in-memory implant designed to grant attackers persistent access. 

But MixShell was only the payload. What made Zipline effective was the trust attackers built by impersonating vendors and suppliers. the same tactic that often escalates into manufacturing phishing attacks that turn into financial fraud.

• Urgency: Attackers claimed shipment delays or business issues to pressure targets into acting fast.
  
  
• Authority: By impersonating trusted logistics providers, they appeared legitimate.
  
  
• Vendor trust: By posing as business partners, they exploited manufacturers’ reliance on routine supply chain communication.
  

Why does this work so well? Because phishing has become nearly indistinguishable from legitimate business communications. As highlighted in Trustmi’s AI, Cybersecurity & The New Era of Fraud web series, even the best email filters and employee training can fail once a trusted vendor is impersonated. 

And the industry knows it’s behind the curve. According to LevelBlue’s 2025 Cyber Resilience in Manufacturing report, 37% of manufacturers say they’re experiencing significantly more cyberattacks than a year ago, and 28% have suffered a breach in the past 12 months.

Yet only 32% say they’re prepared for AI-powered threats and just 30% for deepfakes or synthetic identity attacks—the very tools that make impersonation schemes like Zipline so convincing.

While Zipline stopped at malware, other attackers have gone further. As we covered last year in a blog about rising BEC manufacturing attacks, companies like Orion and Toyota Boshoku lost tens of millions of dollars after falling victim to vendor impersonation schemes. It shows how the same tactics used to build trust in phishing campaigns often escalate into outright payment fraud.

Manufacturing is especially vulnerable for a few key reasons:

• Focused targeting: As The Hacker News noted, Zipline’s selective targeting shows attackers are honing in on industries critical to the supply chain.
  
• Complex vendor networks: Global supply chains consist of thousands of vendors, each a potential entry point.
  
• Isolated teams: The bigger the company, the more vendors, and the more siloed the teams managing vendor transactions. The recent Trustmi 2025 Socially Engineered Fraud & Risk Report highlighted how those silos increase vendor fraud risk.

Manufacturers are investing more in cybersecurity: 69% say they’re making significant new investments in cyber resilience, and 65% now measure leadership roles against cybersecurity KPIs. But that investment remains focused on defending systems, not securing transactions.

Attackers are exploiting that gap. They’re using AI to impersonate billing partners, reroute reimbursements, and manipulate the trusted workflows that keep the manufacturing economy running.

This is what makes Vendor Email Compromise (VEC) so damaging: it’s not about a single phishing email, but about undermining the trust that keeps supply chains moving. Malware may be one outcome, payment fraud another—but in every case, manufacturing phishing attacks exploit vendor trust as bait.

Want to see how attacks like this escalate from malware to multimillion-dollar fraud? Watch our webinar on vendor risk and supply chain fraud to learn what finance and security leaders in manufacturing need to know.