The Many Paths to Protocol Invocation
Series: Decoding BYOPH (Part 5 of 7) Reading time: 7 minutes Skill level: Intermediate
π LinkedIn Post Content
A protocol handler is useless until someone clicks a link. But attackers have many optionsβfrom Word documents to browser redirects to email links.
Today we explore the full attack surface of protocol invocation.
π― What Youβll Learn Today
β Invoke handlers from Office documents (Word, Excel, PowerPoint) β Invoke handlers from PDF files β Invoke handlers from web browsers (HTML, JavaScript) β Understand browser security prompts and their limitations β See the full attack surface from a defenderβs perspective
πΈοΈ The Invocation Surface
Protocol handlers can be triggered from almost anywhere that handles URLs:
1
2
3
4
5
6
7
8
9
10
11
DOCUMENT-BASED WEB-BASED
βββ Microsoft Word βββ HTML anchor tags
βββ Microsoft Excel βββ JavaScript redirects
βββ Microsoft PowerPoint βββ Meta refresh tags
βββ PDF readers βββ iframes
βββ OneNote
βββ LibreOffice OTHER
βββ Email clients (Outlook, etc.)
βββ Chat apps (Teams, Slack)
βββ Note-taking apps
βββ Any app that renders URLs
This wide surface is what makes BYOPH so versatile.
π Document-Based Invocation
Microsoft Word:
- Open Word β New document
- Type text: βClick here for the portalβ
- Select text β Insert β Link
- Enter address:
myscheme://payload - Save document
- When recipient clicks the link β Handler invoked
The link looks completely normal in the document. Users canβt easily see itβs a custom scheme.
PDF Files: β’ Export from Word: File β Export β Create PDF β’ The hyperlink survives the conversion β’ PDF readers will invoke the handler when clicked
PowerPoint: β’ Add hyperlink to any object (shape, text, image) β’ Presentation mode: clicking triggers the handler β’ Great for βclick here to continueβ scenarios
π Browser-Based Invocation
Method 1: Simple HTML Anchor
1
<a href="myscheme://data">Click here</a>
Method 2: JavaScript Location
1
window.location.href = "myscheme://payload";
Method 3: JavaScript Window.open
1
window.open("myscheme://payload");
Method 4: Meta Refresh (Auto-redirect)
1
<meta http-equiv="refresh" content="0;url=myscheme://auto">
Method 5: Hidden iframe (Sneaky)
1
<iframe src="myscheme://background" style="display:none"></iframe>
π¨ Browser Security Prompts
Modern browsers show a confirmation dialog:
1
2
3
4
5
6
7
8
9
10
11
βββββββββββββββββββββββββββββββββββββββ
β Open myscheme://? β
β β
β An external application is β
β required to handle this link. β
β β
β β Always allow example.com to β
β open myscheme:// links β
β β
β [Cancel] [Open] β
βββββββββββββββββββββββββββββββββββββββ
The problem: Users often click βOpenβ without thinking, especially if: β’ The link text looks legitimate β’ They just imported a βconfigurationβ file β’ The scheme name sounds trustworthy
The bigger problem: That checkbox. If users check βAlways allow,β future invocations bypass the prompt entirely.
π Browser Behavior Comparison
| Browser | Shows Prompt | Remember Choice | Auto-invoke After |
|---|---|---|---|
| Chrome | Yes | Yes (checkbox) | If checked |
| Edge | Yes | Yes (checkbox) | If checked |
| Firefox | Yes | Yes (checkbox) | If checked |
| Safari | Yes | No | Never |
π Attack Chain: Phishing + BYOPH
Hereβs how a real attack might unfold:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
DAY 1: SETUP
βββ Attacker sends email with .reg attachment
βββ "Please import this VPN configuration"
βββ User imports β Handler registered
DAY 2-30: DORMANT
βββ Handler sits in registry, waiting
DAY 31: TRIGGER
βββ Attacker sends follow-up email
βββ Contains link to legitimate-looking page
βββ Page has: <a href="vpn-connect://auth">Connect to VPN</a>
βββ User clicks β "Open external app?" β User clicks Open
βββ Malware executes
Why the delay matters: β’ Separates suspicious .reg import from execution β’ User may forget they imported anything β’ Makes correlation harder for defenders
π‘οΈ Defense Recommendations
User Training: β’ Treat .reg files like executablesβthey enable code execution β’ Be suspicious of βOpen external application?β prompts β’ Never check βAlways allowβ for unknown schemes
Technical Controls: β’ Block .reg file downloads at web proxy β’ Monitor for .reg files in email attachments β’ Alert on new protocol handler registrations β’ Consider application whitelisting
Browser Hardening: β’ Some browsers allow enterprise policies for scheme blocking β’ Consider blocking unknown schemes at the browser level β’ Audit βalways allowβ permissions periodically
π§ͺ Lab Exercise
In your isolated VM with a registered test handler:
Exercise 1: Document Invocation
- Create a Word document with a link to your test scheme
- Save, close, and reopen
- Click the linkβobserve the behavior
- Export to PDF and test again
Exercise 2: Browser Methods Create an HTML file and test each method:
1
2
<a href="labtest://anchor">Anchor Tag</a>
<button onclick="window.location='labtest://js'">JavaScript</button>
Document your findings: Which methods show prompts? Which donβt?
π Key Takeaways
- The attack surface is hugeβany URL-rendering app can invoke handlers
- Documents are dangerousβlinks in Word/PDF look completely normal
- Browser prompts are weakβusers click through them habitually
- βAlways allowβ is permanentβcreates a silent execution path
- Time separation between registration and triggering complicates detection
β οΈ SAFETY REMINDER
1
2
3
4
5
6
7
8
Test only with benign handlers!
β Use the Notepad or logging handler from Part 3
β Never create handlers with network callbacks
β Test in isolated VMs only
β Clean up all test documents afterward
Educational purposes only.
π Coming Next Week
In Part 6, we switch fully to the blue team perspective: Detection rules, Sysmon configuration, and incident response procedures. Time to hunt these handlers!
Follow me for Part 6!
π¬ Discussion Question
Which invocation method do you think is most dangerous from a social engineering perspective? Documents, browser links, or something else?
#Cybersecurity #Phishing #SocialEngineering #BlueTeam #BYOPH #DocumentSecurity #BrowserSecurity #ThreatHunting #InfoSec #SecurityAwareness