URI protocol handler: search-ms

calendar Aug 21, 2023  ·
Share on: linkedin copy

Detects HTML attachments using the search-ms URI protocol handler, a technique observed ITW to deliver malicious payloads.

This rule can be updated to analyze links in PDF attachments and message bodies

Sublime rule (View on GitHub)

 1name: "URI protocol handler: search-ms"
 2description: |
 3  Detects HTML attachments using the search-ms URI protocol handler,
 4  a technique observed ITW to deliver malicious payloads.
 5
 6  This rule can be updated to analyze links in PDF attachments and message bodies  
 7references:
 8  - "https://twitter.com/blackorbird/status/1684505999301029888?s=20"
 9type: "rule"
10severity: "high"
11source: |
12  type.inbound
13  and any(attachments,
14          .file_type == "html"
15          and any(file.explode(.),
16                  any(.scan.strings.strings, regex.contains(., 'search-ms:query.*location:\\\\'))
17          )
18  )  
19attack_types:
20  - "Malware/Ransomware"
21tactics_and_techniques:
22  - "Evasion"
23detection_methods:
24  - "File analysis"
25  - "HTML analysis"
26id: "ee27d9c0-2d7e-5f6d-85be-73f3bf5b7cb1"
to-top