Cybercrime , Endpoint Security , Fraud Management & Cybercrime

Microsoft OneNote Is Latest Malware Vector

Capture Your Thoughts, Discoveries and Ideas While Getting Pwned
Microsoft OneNote Is Latest Malware Vector
Image: Shutterstock

At least somebody uses Microsoft OneNote: Security researchers say they've detected an increase in the number of hackers delivering malware via the note-taking app bundled into the computing giant's Office suite of programs.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

A spike over the last two months in malicious .one files is likely due to hackers adapting to Microsoft's crackdown on macros, leading them to look for other ways to smuggle malware past threat detection, say researchers at Proofpoint.

Attachments initially observed by the company didn't register as malicious with antivirus engines, making it likely that emails appearing in inboxes had a high success rate of infection, the researchers say.

OneNote-delivered malware still requires users to click through the warning messages Microsoft throws at them when they open attachment files. Multiple threat actors are resorting to OneNote as a threat vector, but Proofpoint says adoption of the tactic by the threat actor it tracks as TA577 is particularly worrying.

"TA577's adoption of OneNote suggests other more sophisticated actors will begin using this technique soon. This is concerning: TA577 is an initial access broker that facilitates follow-on infections for additional malware including ransomware," Proofpoint says.

The firm characterizes TA577 as a "prolific cybercrime threat actor" associated with incidents of REvil and Black Basta ransomware. Just days ago, it delivered Qbot with an attack chain that included OneNote.

Observed OneNote campaigns share similar characteristics. Phishing messages typically contain OneNote file attachments with themes such as "invoice, remittance, shipping" or seasonal themes. Hackers have also sent links to download OneNote files.

The documents contain embedded files "often hidden behind a graphic that looks like a button." When the user double-clicks the embedded file - and blows through Microsoft's security warnings - the file executes. Payloads delivered through the campaigns include AsyncRAT, QuasarRAT, XWorm, Redline, AgentTesla and NetWire.

Proofpoint isn’t the only cybersecurity firm to recently observe a shift to OneNote among hackers. Trustwave in December spotted a campaign using OneNote to move Formbook malware.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.