Blog

Target: IT Professionals (Elementary)

Tags: Isolation, Safe Workspace^®, Safe Browser, Zero-day, NoCloud™, Anti-Phishing, Protection by containment™

In the ever-evolving landscape of cyber threats, a new phishing campaign has surfaced, leveraging the Windows search protocol to distribute malicious scripts. This campaign uses HTML attachments that exploit the search-ms [1] URI scheme to push batch files from remote servers, ultimately delivering malware to unsuspecting users.

Understanding the Windows Search Protocol

The Windows Search protocol is a Uniform Resource Identifier (URI) that allows applications to open Windows Explorer and perform searches using specific parameters. While typical Windows searches are conducted on the local device’s index, the protocol can also be configured to query file shares on remote hosts. Additionally, it supports the use of custom titles for the search windows, enhancing its flexibility.

This functionality, however, can be a double-edged sword. As highlighted by Prof. Dr. Martin Johns in a 2020 thesis, attackers can exploit this feature to distribute malicious files hosted on remote servers.

The Evolution of the Attack

In June 2022, security researchers devised a sophisticated attack chain that combined this URI exploitation with a Microsoft Office vulnerability. This method allowed attackers to initiate searches directly from Word documents, marking a significant escalation in the threat landscape.

Recently, researchers [2] have uncovered real-world instances of this technique being employed by threat actors. These cybercriminals are now using HTML attachments to launch Windows searches on servers they control, pushing malware to users’ devices.

Anatomy of the Recent Attacks

The latest attacks [2], begin with a phishing email. The email carries an HTML attachment, cleverly disguised as an invoice document, within a small ZIP archive. This ZIP archive serves a dual purpose: it makes the attachment appear legitimate and helps evade detection by security and antivirus (AV) scanners that may not thoroughly inspect archived files.

Upon opening the HTML attachment, the embedded script abuses the search-ms[1] protocol to direct the Windows Search feature to a remote server controlled by the attacker. This action triggers the download of a malicious batch file, which is then executed on the victim’s system, leading to the installation of malware.

Protecting Against Such Threats

To mitigate the risks associated with this type of phishing attack, users and organizations should adopt preventative solution such as BUFFERZONE® SafeWorkspace® comprehensive suite of cybersecurity solutions, each designed to address the most significant attack vector targeting the endpoint:

1. Safe Mail: To disarm emails and isolate attachments to block phishing emails with malicious attachments from accessing the registry, file system, memory/processor and network.
2. Safe Browser: Secure web browsing and file downloads.
3. Safe Removables: Secure USB/CD/DVD and auto-execution prevention.
4. SafeBridge®: Ensure that all file downloads and email content is Content Disarmed and Reconstruction (CDR) a zero-trust file security to prevent file bornebased attacks.
5. NoCloud™ Anti-phishing: Detect and block users from visiting malicious websites phishing for user login credentials.

Conclusion

The abuse of the Windows search protocol in phishing attacks underscores the constant need for vigilance and proactive security measures. By understanding how these attacks operate and implementing robust defenses that combine dynamic AI phishing detection and smart endpoint isolation technology, users and organizations can better protect themselves from these sophisticated cyber threats. Stay informed, stay cautious, and stay secure.

References

[1] https://learn.microsoft.com/en-us/windows/win32/search/-search-3x-wds-qryidx-searchms

[2] https://www.bleepingcomputer.com/news/security/phishing-emails-abuse-windows-search-protocol-to-push-malicious-scripts/