A new phishing campaign uses HTML attachments that abuse the Windows search protocol (search-ms URI) to push batch files hosted on remote servers that deliver malware.

The Windows Search protocol is a Uniform Resource Identifier (URI) that enables applications to open Windows Explorer to perform searches using specific parameters.

While most Windows searches will look at the local device’s index, it is also possible to force Windows Search to query file shares on remote hosts and use a custom title for the search window.

Attackers can exploit this functionality to share malicious files on remote servers, as Prof. Dr. Martin Johns first highlighted in a 2020 thesis.

In June 2022, security researchers devised a potent attack chain that also exploited a Microsoft Office flaw to launch searches directly from Word documents.

Trustwave SpiderLabs researchers now report that this technique is used in the wild by threat actors who are using HTML attachments to launch Windows searches on attackers’ servers.

Abusing Windows Search

The recent attacks described in the Trustwave report start with a malicious email carrying an HTML attachment disguised as an invoice document placed within a small ZIP archive. The ZIP helps evade security/AV scanners that may not parse archives for malicious content.

The HTML file uses the <meta http-equiv= “refresh”> tag to cause the browser to automatically open a malicious URL when the HTML document is opened.

If the meta refresh fails due to browser settings blocking redirects or other reasons, an anchor tag provides a clickable link to the malicious URL, acting as a fallback mechanism. This, however, requires user action.

In this case, the URL is for the Windows Search protocol to perform a search on a remote host using the following parameters:

• Query: Searches for items labeled “INVOICE.”
• Crumb: Specifies the search scope, pointing to a malicious server via Cloudflare.
• Displayname: Renames the search display to “Downloads” to mimic a legitimate interface.
• Location: Uses Cloudflare’s tunneling service to mask the server, making it look legitimate by presenting remote resources as local files.

Next, the search retrieves the list of files from the remote server, displaying a single shortcut (LNK) file named as an invoice. If the victim clicks on the file, a batch script (BAT) hosted on the same server is triggered.

Trustwave couldn’t establish what the BAT does, as the server was down at the time of their analysis, but the potential for risky operations is high.

To defend against this threat, Trustwave recommends deleting registry entries associated with the search-ms/search URI protocol by executing the following commands:

reg delete HKEY_CLASSES_ROOTsearch /f
reg delete HKEY_CLASSES_ROOTsearch-ms /f

However, this should be done carefully, as it would also prevent legitimate applications and integrated Windows features that rely on this protocol, from working as intended.