Attackers have advanced their techniques for leveraging the "search-ms" uniform resource identifier (URI) protocol from malicious documents to direct users to websites that exploit search-ms functionality using JavaScript hosted on the page.
The search-ms protocol lets Windows users conduct search operations via a URI. Normally, it’s a benign operation, but if combined with another vulnerability such as within Windows documents, attackers can potentially use it as a part of a broader phishing or malware campaign.
In a blog post July 26, Trellix researchers said during attacks that leverage the search-ms URI protocol handler, threat actors have the potential to create deceptive emails containing hyperlinks or email attachments that redirect users to compromised websites. When users visit the website, malicious Java scripts initiate searches on a remote server using the search-ms URI protocol handler.
The Trellix researchers said because the protocol handler has emerged as a potent initial attack vector, it’s very important that security teams anticipate a potential increase in attacks using this method: it offers threat actors a convenient way to deliver malicious payloads while evading traditional security defenses.
“The search results of remotely hosted malicious shortcut files are displayed in Windows Explorer disguised as PDFs or other trusted icons, just like local search results,” explained the Trellix researchers. “This technique conceals the fact that the user is being provided with remote files and gives the user the illusion of trust. As a result, the user is more likely to open the file, assuming it is from their own system, and unknowingly execute malicious code.”
Callie Guenther, cyber threat research senior manager at Critical Start, explained that in this scenario, threat actors create malicious Microsoft Word documents that exploit vulnerabilities in Microsoft Office and Windows, triggering the search-ms protocol handler to open a remote Windows Search window on the victim's computer. Guenther said the window lists executables hosted on a remote SMB share, disguised as something innocent like "Critical Updates.”
“If the victim is tricked into executing these files, they would unwittingly install malware onto their system,” said Guenther. “The mitigation strategy proposed is to remove the search-ms protocol handler from the Windows Registry. Doing so will prevent the malicious documents from triggering the "search-ms" command, thus protecting the user from this particular attack vector.
Eli Nussbaum, managing director at the Conversant Group, added that this newly identified method relies on user error, but it takes advantages of a weak perimeter.
Nussbaum said this attack requires gaps at multiple layers of an organization’s defenses. First, properly leveraging email filters with URL rewriting and malicious content controls will limit the impact of a search-ms attack. Second, it relies on limited restrictions on outbound internet browsing — both at the firewall and internet proxy level. Once again, outbound controls are critical.
“Email gateways, firewalls and content inspection tools both at the perimeter and local device, along with appropriate EDR/MDR, go a long way to reducing the risk of this attack vector,” said Nussbaum. “This novel threat will have a difficult time pushing through a properly layered security strategy that continuously evolves and is actively updated leveraging current threat intelligence. Putting aside the technical chicanery, the root of this attack is that users are tricked into believing that they are looking at files — not on the internet, but rather on their local network/computer. This reduces a user's suspicion and increases the chances that they will open a malicious file.”
While security pros such as Nussbaum advise a holistic security approach, there are also new emerging products that claim to manage these search-ms issues. Vendors such as Trellix, Abnormal Security, Proofpoint, Mimecast and many others offer AI-based solutions to create a system that learns and dynamically monitors baseline behaviors. The behavioral intelligence can potentially identify that a specific user doesn’t normally receive a certain type of document.
