It seems that there's a list of sites running ZCS (presumably by scanning for signatures) that I'm on, and I've been seeing huge volumes of phishing attacks (mostly phony calendar invites) that link out to a fake Zimbra login page to steal credentials. These all come in through compromised accounts at other (mostly Zimbra) sites.
Has anyone found a solution to this? I haven't had much luck crafting custom rules because the attacks are so varied and otherwise innocuous-looking, but I'm getting hundreds of Zimbra phishing attempts daily. Every time an account get compromised from this we get blocklisted from Gmail for days until its sorted out.