Threat Awareness – Use of Microsoft OneNote to Spread Malicious Payloads Rising

SC Magazine has written an article covering the rise of a new malware trend: using Microsoft’s OneNote to distribute payloads. Researchers from both Proofpoint and Sophos have observed various threat actors executing campaigns that deliver malware through OneNote attachments, likely as part of criminals’ continued attempts to test out new methods of bypassing threat detection software. While smaller actors have been observed using this tactic since December 2022, its adoption by the group behind QakBot marks the beginning of its use in “a much more automated, streamlined fashion.” Members should consider increased scrutiny of OneNote files, to the point of blocking the application if it is not used on the organization’s network. Read more at SC Magazine.

Additional WaterISAC Reporting on the OneNote infection vector and/or Qakbot/Qbot:

• Threat Awareness – Black Basta Ransomware Employs Qakbot in Latest Attack Chain
• Qbot Displaces Emotet as Most Prevalent Malware in December 2022, New Report Finds
• Threat Awareness – Threat Actors Exploiting Microsoft OneNote Attachments to Spread Malware
• Threat Awareness – Qbot Steals Sensitive Data Minutes after the Initial Infection