sublimehighRule

URI protocol handler: search-ms

Detects HTML attachments using the search-ms URI protocol handler, a technique observed ITW to deliver malicious payloads. This rule can be updated to analyze links in PDF attachments and message bodies

MITRE ATT&CK

T1566.001 T1204.002 T1486 T1036 T1027

defense-evasion

Detection Query

type.inbound
and any(attachments,
        .file_type == "html"
        and any(file.explode(.),
                any(.scan.strings.strings,
                    regex.contains(., 'search-ms:query.*location:\\\\')
                )
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

References

https://twitter.com/blackorbird/status/1684505999301029888?s=20

Raw Content

name: "URI protocol handler: search-ms"
description: |
  Detects HTML attachments using the search-ms URI protocol handler,
  a technique observed ITW to deliver malicious payloads.

  This rule can be updated to analyze links in PDF attachments and message bodies
references:
  - "https://twitter.com/blackorbird/status/1684505999301029888?s=20"
type: "rule"
severity: "high"
source: |
  type.inbound
  and any(attachments,
          .file_type == "html"
          and any(file.explode(.),
                  any(.scan.strings.strings,
                      regex.contains(., 'search-ms:query.*location:\\\\')
                  )
          )
  )
attack_types:
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Evasion"
detection_methods:
  - "File analysis"
  - "HTML analysis"
id: "ee27d9c0-2d7e-5f6d-85be-73f3bf5b7cb1"