Link: Landing page with search-ms protocol redirect

calendar Apr 7, 2026  ·
Share on: linkedin copy

Detects messages containing URL shortener links that redirect to search-ms protocol queries, which can be used to execute local file searches on Windows systems.

Sublime rule (View on GitHub)

 1name: "Link: Landing page with search-ms protocol redirect"
 2description: "Detects messages containing URL shortener links that redirect to search-ms protocol queries, which can be used to execute local file searches on Windows systems."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and all(body.links, .href_url.domain.root_domain in $url_shorteners)
 8  and any(body.links,
 9          regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
10                          'search-ms:[^\;]*query=[^\;]+\.lnk'
11          )
12  )  
13attack_types:
14  - "Malware/Ransomware"
15tactics_and_techniques:
16  - "Evasion"
17  - "Scripting"
18detection_methods:
19  - "URL analysis"
20  - "Threat intelligence"
21id: "fea6aa70-61d5-5e69-b8c3-f7d09d2ff0ba"
to-top