← Back to Explore
sublimehighRule
Link: Landing page with search-ms protocol redirect
Detects messages containing URL shortener links that redirect to search-ms protocol queries, which can be used to execute local file searches on Windows systems.
Detection Query
type.inbound
and all(body.links, .href_url.domain.root_domain in $url_shorteners)
and any(body.links,
regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
'search-ms:[^\;]*query=[^\;]+\.lnk'
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: Landing page with search-ms protocol redirect"
description: "Detects messages containing URL shortener links that redirect to search-ms protocol queries, which can be used to execute local file searches on Windows systems."
type: "rule"
severity: "high"
source: |
type.inbound
and all(body.links, .href_url.domain.root_domain in $url_shorteners)
and any(body.links,
regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
'search-ms:[^\;]*query=[^\;]+\.lnk'
)
)
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
- "Scripting"
detection_methods:
- "URL analysis"
- "Threat intelligence"
id: "fea6aa70-61d5-5e69-b8c3-f7d09d2ff0ba"