"Phishing Emails Abuse Windows Search Protocol to Push Malicious Scripts"

In a new phishing campaign, HTML attachments abusing the Windows Search protocol are used to push batch files hosted on remote servers that deliver malware. The Windows Search protocol is a Uniform Resource Identifier (URI) that lets applications open Windows Explorer to perform searches with specific parameters. Most Windows searches will use the local device's index. However, Windows Search can be forced to query file shares on remote hosts and apply a custom title for the search window. Prof. Dr. Martin Johns noted in a 2020 thesis that attackers can use this functionality to share malicious files on remote servers. Security researchers developed an attack chain in June 2022 that abused a Microsoft Office flaw to launch searches from Word documents. According to Trustwave SpiderLabs researchers, threat actors are using this technique in the wild. They are using HTML attachments to launch Windows searches on attackers' servers. This article continues to discuss findings regarding the abuse of the Windows Search protocol by phishing emails to push malicious scripts.

Bleeping Computer reports "Phishing Emails Abuse Windows Search Protocol to Push Malicious Scripts"

Submitted by grigby1

Submitted by Gregory Rigby on