Researchers have discovered a vulnerability in Windows Search that will allow a search window containing remotely-hosted malware executables to be opened simply by launching a Word document. This is similar to CVE-2022-30190 as it abuses a URI protocol handler to perform an action without involvement of the user.
Using this new technique, a threat actor could craft a Microsoft Word document in such a way that it will automatically launch a “search-ms” command to open a Windows Search window. While most searches are performed against a local drive, threat actors could craft the search-ms command in such a way that it will instead open a Windows Search window pointed to a remote SMB share. This share can be named whatever the threat actor wants, such as “Important Updates,” to help further trick the user into thinking the malicious files within are required for some such purpose.
While this technique does require users to manually launch malicious executables, upon which they will also receive a warning about an untrusted remote file, it is likely to be added to the arsenal of threat actors creating sophisticated phishing campaigns.