HomeWinBuzzer NewsWindows Search Protocol Abused in New Phishing Attack

Windows Search Protocol Abused in New Phishing Attack

A new Windows Search phishing campaign involves an email containing an HTML attachment disguised as an invoice within a ZIP archive.


Security researchers at Trustwave SpiderLabs have discovered a phishing campaign that uses the Windows search protocol to distribute malware via HTML email attachments. The attackers exploit the search-ms URI protocol to query remote file shares, allowing for the distribution of harmful files.

How the Attack Works

The campaign begins with an email containing an HTML attachment disguised as an invoice within a ZIP archive, a method that typically bypasses most antivirus and security scanners. When the HTML file is opened, a “ tag instantly redirects the user to a malicious website. If the browser blocks this automatic redirect, a clickable anchor tag serves as a backup, requiring user interaction.

The redirect URL employs the Windows Search protocol to query a remote server for files labeled “INVOICE.” The server's IP is obscured through Cloudflare's tunneling service, making it appear as a local resource. The search results display files from the remote server, with a particularly misleading LNK file named “invoice,” which, when clicked, executes a batch script on the victim's system.

Execution and Potential Harm

Upon interaction with the link, a batch script from the remote server is activated. Although Trustwave has not been able to pinpoint the specifics of the batch file's actions due to server downtime, the risks include potential execution of harmful operations.Mitigation Strategies

Trustwave suggests modifying the registry to remove entries associated with the search-ms/search URI protocol to prevent exploitation. This can be done using the following commands, though it is important to note that this will also impact legitimate applications utilizing this protocol:

reg delete HKEY_CLASSES_ROOT\search /f
reg delete HKEY_CLASSES_ROOT\search-ms /f

Technical Details

The have been relatively low volume, with only a few cases identified so far. The HTML attachment takes advantage of standard web protocols to manipulate Windows functionalities, specifically using a `meta refresh` tag set to zero for instant redirection. Browsers typically prompt users before executing the search, acting as a safeguard against unauthorized operations.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.