Phishing Emails Exploit Windows Search Protocol to Deliver Malicious Scripts

Exploiting Windows Search Protocol: Phishing Campaigns Delivering Malicious Scripts via HTML Attachments

In a novel phishing tactic, threat actors utilize HTML attachments to manipulate the Windows search protocol (search-ms URI). This method allows them to deploy batch files hosted on remote servers, serving as a conduit for malware distribution.

The search-ms URI is typically used to initiate Windows Explorer searches with defined parameters. While intended for local searches, attackers leverage it to query file shares on external servers, initially highlighted by Prof. Dr. Martin Johns in 2020.

Recently, security researchers uncovered an advanced attack leveraging a Microsoft Office vulnerability to trigger searches directly from Word documents, further illustrating the technique's potency.

According to Trustwave SpiderLabs, adversaries now deploy this technique in live attacks. They initiate campaigns with phishing emails containing HTML attachments disguised as invoice documents within ZIP archives. This tactic helps evade traditional security measures that may overlook compressed files.

The HTML file within these attachments employs <meta http-equiv="refresh"> tags to automatically redirect the browser to a malicious URL upon opening. If blocked, an anchor tag provides a clickable link to the same URL, requiring user interaction.

The URL utilizes the search-ms protocol to conduct a query on a remote server via Cloudflare, masquerading the malicious files as legitimate local resources. The search interface is renamed "Downloads," mimicking a credible user interface.

Upon retrieving the search results, a single shortcut (LNK) file named as an invoice is displayed. Clicking on this file triggers a batch script (BAT) hosted on the remote server. While Trustwave couldn't analyze the BAT script due to server unavailability, the potential for harmful actions is significant.

To mitigate this threat, Trustwave advises cautious deletion of registry entries associated with the search-ms/search URI protocol. However, this action could disrupt legitimate applications and Windows features dependent on this protocol, warranting careful consideration.