Description
Malicious actors are using a new file format in the form of Microsoft OneNote attachments to spread malware to targets. Since OneNote allows users to insert attachments into a NoteBook, threat actors are abusing this feature by attaching malicious VBS attachments that automatically launch the script when double-clicked to download malware from a remote site and install it. Because the attachments look like a file’s icon in OneNote, threat actors overlay a large ‘Double click to view file’ bar over the inserted VBS attachments to hide them. If the ‘Click to View Document’ bar is moved out of the way, it can be observed that the malicious attachment includes multiple attachments. The threat actors did this in a way that if a user double clicks anywhere on the bar, it’s second click will land on the attachment, resulting in launching the malware. Luckily, when launching the OneNote attachments, the program provides a warning before installation. However, if a victim ignores the warning and clicks OK, it will launch the VBS script to download and install malware. This will allow the threat actor to remotely access a victim’s device to steal files, saved browser passwords, take screenshots, and in some cases, even record video using webcams.
Fake DHL Email with OneNote Attachment 
Malicious OneNote Email Attachment 
SecurIT360 SOC Managed Services
If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity:
MDR Services
- We have added indicators related to known malicious threat actors into our blocklists in our MDR solution, FortiSIEM.
- Indicators are provided in the Indicators of Compromise section below if you would like to proactively block them in your firewall.
EDR Services
- In addition to ongoing vendor IoC updates, we have implemented known IoC information to help with detection.
As always, if we detect activity related to these exploits, we will alert you when applicable.
Recommendations
- The best way to protect against malicious attachments is to simply not open files from people you do not know. If a file is mistakenly opened, do not disregard the warnings displayed by the operating system or application.
- If you see a warning that opening an attachment or link could harm your computer or files, simply do not press OK and close the application.
- If you feel it may be a legitimate email, share it with a security or Windows admin to help you verify if the file is safe.
- Consider blocking “.one” attachments. See:
- OneNote users are recommended to enable multi-factor authentication, use antivirus protection, and follow the best security practices for preventing phishing attacks.
Detections
SOC Prime has released rules to detect cyber attacks abusing OneNote attachments. Click here to access the full list of relevant detection content.
MITRE Summary
- TA0002 – Execution
- T1047 – Windows Management Instrumentation
- TA0005 – Defense Evasion
- T1027 – Obfuscated Files or Information
- T1036 – Masquerading
- T1070.006 – Timestomp
- T1497 – Virtualization/Sandbox Evasion
- T1562.001- Disable or Modify Tools
- TA0006 – Credential Access
- T1003 – OS Credential Dumping
- TA0007 – Discovery
- T1057 – Process Discovery
- T1082 – System Information Discovery
- T1012 – Query Registry
- T1016 – System Network Configuration Discovery
- T1083 – File and Directory Discovery TA0009 – Collection
- T1005 – Data from Local System
- TA0011 – Command and Control
- T1071 – Application Layer Protocol
Indicators of Compromise (IoCs)
Resources & Related Articles
- Warning: Hackers are installing malware via Microsoft OneNote attachments
- Hackers now use Microsoft OneNote attachments to spread malware
- Hackers Are Exploiting OneNote Attachments to Launch Malware Attacks |
- A First Malicious OneNote Document
- OneNote Documents Increasingly Used to Deliver Malware | Proofpoint US
- Attackers Exploit Microsoft OneNote Attachments to Steal Credentials and Spread Malware
- Rapid7 Observes Use of Microsoft OneNote to Spread Redline Infostealer Malware
