OneNote is a digital note-taking application developed by Microsoft. It allows users to create and organize notes in various formats, including text, images, audio recordings, and video. OneNote files have become a popular alternative to macro-based files, like Word documents, which have become more difficult to distribute due to Microsoft's patching of vulnerabilities and disabling of macros. OneNote files have been observed containing embedded files, such as HTA, CMD, and JSE binaries, which are used to execute malicious code when the OneNote file is opened.
Phishing campaigns have been observed delivering OneNote files containing malicious files via email or malicious URLs. Once the OneNote file is opened and the embedded file is executed, it downloads a second-stage payload from the attacker's infrastructure. Recent variants have been observed dropping Emotet and QakBot, which is commonly used to deliver additional payloads such as Cobalt Strike.
It is recommended to use the most recent patches for Microsoft Windows on computers and endpoints, and to avoid opening unknown attachments or visiting unfamiliar URLs. Password security is also important, and switching to two-factor authentication can provide an additional layer of protection. Due to the usage of OneNote in many Microsoft Windows systems and the ubiquity of Microsoft Office globally, as well as the ongoing comprehension and understanding of the ability to abuse OneNote, it is important that organizations prepare themselves and stay on top of any updates concerning malicious use of Microsoft OneNote.
With the efforts by Microsoft to block Excel 4 and VBA macros that are downloaded from the internet by default, threat actors have taken to using Microsoft OneNote to deliver malicious payloads to unsuspecting victims. Among the actors and malware campaigns taking advantage of this technique, Emotet and Qakbot have been some of the most prevalent. These new email campaigns have been using malicious Microsoft OneNote attachments to distribute malware, with the attachments often disguised as guides, invoices, job references, and other types of documents.
The OneNote documents display a message that the document is protected and prompt the user to double-click the "View" button to display it properly. However, actors have been hiding various script files underneath the "View" button, which downloads a DLL or other payload from a remote location and executes it. This leads to the installation of Emotet and other malware, which can steal email, contacts, and await further commands from the command and control server.
While Microsoft OneNote displays a warning when attempting to launch an embedded file, users often click "OK" to get rid of the alert, enabling the malicious script to execute. Microsoft is adding improved protections in OneNote against phishing documents, but there is no specific timeline for when this will be available to everyone. However, Windows admins can configure group policies to protect against malicious OneNote files by either blocking embedded files altogether or specifying specific file extensions to be blocked from running.
Due to this Microsoft OneNote method being a relatively new, and with additional information about the threat actors using it and the methods of which they use it being discovered, Cyborg Security will be updating the Threat Hunt Packages as more information is identified.
GET THE FREE HUNT PACKAGES!
CHECK OUT OTHER EMERGING THREATS >
mommy Access Broker is enabling access-as-a-service operations through detailed intrusion guides and compromised credentials, and Intel 471 has released reporting and Hunt Packages to support threat hunting and detection.
NATO's annual summit comes as member countries face a rapidly changing global security dynamic, with cyber playing a significant role.
DragonForce is a Ransomware-as-a-Service group targeting global industries with customizable payloads, enabling widespread attacks and persistent extortion through an affiliate-driven model.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.