Threat actors have switched to a new type of file for their malicious purposes, this time in the form of Microsoft OneNote attachments in emails to deploy information-stealing malware. Join us as we provide an in-depth view into the new attack campaign and how to protect against it.

The growing cybercriminal wave and headlines of novel attack campaigns have a new addition, this time in the form of OneNote attachments. Threat actors have evolved their phishing campaigns and are using OneNote attachments that infect the victim systems with malware to gain remote access to gain access for malicious purposes.

Word and Excel attachments have been leveraged in phishing emails in the past, but the new wave of OneNote attachments should have individuals and organizations attentive. Let us see how threat actors are doing this and show you how to protect yourself.



Why are Threat Actors Using OneNote Attachments to Drop Malware?

Microsoft disabled default macros that were used in Office documents to thwart the attack campaigns where cybercriminals leveraged Word and Excel.

Following the disabling, threat actors have been utilizing various file formats to drop malware using phishing emails. From ISO (International Organization for Standardization) images, password-protected ZIP (Term used for files merged and compressed files) files, and other methods, the threat actors were able to use additional file formats as bugs in Windows allowed ISOs to bypass security warnings, and the 7-ZIP archive utility did not propagate mark of the web flags to the files that were extracted from the ZIP archives.


OneNote Attachments download Malware


7-Zip and Windows fixed all the bugs where Windows alerted with security warnings when any individual attempted to open the files downloaded in ISO and ZIPs. Since ISO and ZIP files were rendered unusable to drop malware, threat actors have now switched to OneNote attachments for their malicious purposes.

Microsoft OneNote is one of the most popular applications by the tech giant, allowing individuals to create a digital notebook. Available for free, the application is included in Microsoft Office 2019 and later and Microsoft 365. Since the application is installed by default via Microsoft Office 365, individuals who do not utilize the application can still open OneNote files.


The Latest OneNote Attachment Phishing Attacks at a Glance

Since the middle of December 2022, security researchers at Trustwave SpiderLabs have been warning individuals of threat actors distributing malicious spam and phishing emails with OneNote attachments.

The email campaign is highly sophisticated, where the threat actors send phishing emails impersonating DHL shipping, sending notifications, invoices, mechanical drawings, shipping documents, and ACH remittance forms to the victims.

OneNote does not support macros like Word and Excel, so the older tactic is useless. However, OneNote allows individuals to insert NoteBook attachments that are launched automatically when it is opened. Using this automatic launch, threat actors have been adding malicious VBC attachments to the script to execute automatically when any victim opens the file.


Malware and Trojans: The Capabilities of the OneNote Attachments

The VBC attachments look like a file icon in OneNote and download malware from a remote site. To take care of the file icon giveaway, threat actors overlay a bar over the inserted VBS attachments to obfuscate them with a “Double Click to View File” bar.


malware from a remote site


The malicious attachment is a cascaded one as once an individual tries to move the “Click to View Document” bar, multiple attachments are revealed in a row which is triggered to launch if a user double clicks anywhere on the said bar.

OneNote warns individuals that opening attachments can harm the computer or data. However, users are quick to dismiss or ignore such prompts, leading to the launch of the VBS script that downloads and installs the malware. In some cases, the script downloads and executes two files from the server and also executes a malicious batch file that runs the installer in the background.

The malicious OneNote files install RATs (Remote Access Trojans) that allow the threat actors to exfiltrate information from the victim’s devices. The Trojans installed by the attachments are AsyncRAT and XWorm. However, samples of the Quasar RAT have also been discovered.


What can the OneNote Attachment Delivered RATs do to Your System?

The malware that is installed on the victim’s devices is highly sophisticated software that allows the threat actors to gain unauthorized access and control over a victim’s computer and exfiltrate information, allowing the threat actors to steal sensitive information, install additional malware, or use the infected computer as part of a more prominent botnet for distributed attacks.


RAT distributed attacks


Threat actors can use the RAT to steal files and passwords in the browser and spy on the victims via keylogging by taking screenshots or recording videos using webcams while the victim is oblivious. RATs are a common tactic in the crypto world where threat actors utilize these to steal crypto wallets and make away with their cryptocurrency.


How to Protect Against Phishing Attacks?

With the rising cybercrimes and novel attack campaigns, individuals need to take various approaches to tackle the ever-changing phishing attacks. Individuals can protect themselves against phishing attacks by taking several preventative measures:

  1. Be On Your Guard: Be cautious of unexpected emails, even if they appear to be from a legitimate source. Don’t click on any links or download attachments from unknown senders.
  2. Phishing Knowledge: Look for telltale signs of a phishing email, such as poor grammar, spelling mistakes, or a generic greeting instead of your name. Be wary of emails that create a sense of urgency or ask for personal information. Legitimate organizations will not typically ask for sensitive information through email.
  3. Leverage Tools: Use anti-phishing and anti-malware software to protect your computer and mobile devices, as these are equipped with advanced features to protect you from various attacks, flag files, and automatically update all software for the latest protections.
  4. Employee Education: Educate yourself and your co-workers about phishing and the different types of phishing attacks. Since cybercriminals can utilize social engineering and target anyone, it would be best to make anti-phishing measures familiar and educate the workforce, executives, and the C-Suite.

Since threat actors are leveraging email attachments to spread malware, you should avoid downloading or opening such attachments. You can also go for an anti-virus program with a sandbox environment to run malicious files in the sandbox and stop them if they contain malware.


Final Words

Another application and then another file. It would seem that cybercriminals are adamant about making the digital lives of netizens more challenging. The rising wave of cybercrimes and phishing is ever-expanding, as evident from this campaign, but individuals need to keep themselves protected and retaliate in the best possible way.


protection from phishing


Fighting cybercriminals and protecting your systems and businesses from such threats is easy if you know what to do and how to respond. It would be best to keep yourselves updated with phishing protection latest trends to know how to protect against these threats, while organizations, especially small businesses, need to ensure they have adequate anti-phishing measures in place to ensure one of their employees doesn’t end up falling victim to a phishing campaign, jeopardizing the information assets of the entire organization.