Windows Search Protocol Abused By Hackers In Phishing Campaign

A new phishing campaign uses HTML attachments that exploit the Windows search protocol (search-ms URI) to distribute malware via remote batch files. This protocol can force Windows Search to query remote hosts and use custom search window titles. Attackers leverage this functionality to share malicious files, a technique first highlighted in a 2020 thesis by Prof. Dr. Martin Johns. In June 2022, researchers discovered an attack chain that also used a Microsoft Office flaw to initiate searches from Word documents. Trustwave SpiderLabs reports that threat actors are now actively using this method with HTML attachments to launch searches on their servers. Read more...