The Windows Search protocol is a Uniform Resource Identifier (URI) that allows applications to open Windows Explorer and perform searches with specific parameters. Typically, these searches are conducted on the local device’s index. However, attackers have discovered that it’s possible to manipulate Windows Search to query file shares on remote hosts, presenting these remote files as if they were local.
The recent phishing attacks, as detailed in a report by Trustwave SpiderLabs, start with a seemingly innocuous email. The email contains an HTML attachment disguised as an invoice document within a ZIP archive. This ZIP file format helps evade many security and antivirus scanners that might not inspect the contents thoroughly.
Upon opening the HTML file, it uses a `<meta http-equiv=”refresh”>` tag to automatically redirect the browser to a malicious URL. A clickable anchor tag provides a fallback mechanism if the automatic redirect fails due to browser settings or other reasons. This U
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.