Google announced 8 new top-level domains for dads, grads and techies.
See the news article here https://blog.google/products/registry/8-new-top-level-domains-for-dads-grads-tech/
Although all domains can be potentially dangerous in this one the .zip caught the attention.
If you check the further registered .zip domains It’s possible that these are going to be used for malicious purposes. (microsoftdefender_zip, Microsoft-update_zip, Office365-update_zip, officeupdate_zip, microsoftoutlook_zip, ….)
Google’s new .zip Top Level domain is already used in phishing attacks so I started to investigate how to easily block them at Modern Workplaces.
Additional to Google TLDs it is advisable to block some other TLDs that appear in the SPAMHaus Top 10. The Spamhaus Project – The Top 10 Most Abused TLDs (.rest, .wiki, .live, .xyz …)
The best way to block TLDs via Intune is to create a reusable setting and create a firewall rules policy.
Open http://intune.microsoft.com
Click Endpoint security > Firewall and choose Tab Reusable settings
The use of Reusable settings is very handy and can save you a lot of time because you can use these settings in other firewall policies and when there is a need to edit these settings this only needs to be done at one place.
Click Add
Enter a Name and Description
Add the domain *.zip, *.foo and *.Mov
Configure the Instances Auto Resolve : True and add the keyword.
After the instances are added and the settings are saved switch back to the Summary tab.
At Firewall Polcies > Create Policy
Select Platform Windows 10, Windows 11, Server for Platform
and
Profile Windows Defender Firewall Rules
click Create
Give Name and Description and Click Next
Under Reusable Groups Click Set reusable settings and choose Block Google TLDs
Under Rule properties > Click Edit Rule,
change the options :
Enabled: Enabled
Name: Block Google TLDs
Interface Types: All
Network Types: FW_PROFILE_TYPE_ALL : This value represents ….
Direction: The rule applies to Outbound traffic.
Action: Block
Don’t forget to switch the Action to Block
Click Save
Click Next > Next
Add assignments, add a test group of devices first.
Click Next followed by Create
The rule is created and ready for testing.
On a device where the rule is applied the domain www.url.zip will be blocked.
More information :
I already blocked several gTLDs –
The Top 10 Most Abused TLDs’ https://www.spamhaus.org/statistics/tlds/
More information about TLds and gTLDs
https://www.iana.org/domains/root/db
Google’s .zip Top Level domain is already used in phishing attacks – gHacks Tech News
https://icannwiki.org/Google#New_gTLDs]
Updated 2024-02-22
The management console does not display all Firewall rules, some can be found under monitoring in the firewall mmc.
Windows uses several “stores” Local, Policies (GP)….. and Via PowerShell you can retrieve all Firewall rules:
Get-NetFirewallRule -PolicyStore ActiveStore
More info: Get-NetFirewallRule (NetSecurity) | Microsoft Docs
Registry
Also you may check the registry key to check if the rule is applied to the system, key can be found here:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Mdm\FirewallRules