Threat Awareness – Threat Actors Exploiting Microsoft OneNote Attachments to Spread Malware

Attackers are now exploiting Microsoft OneNote attachments in phishing emails to compromise users with remote access malware, which are likely to be used to deliver additional malware, steal credentials, and other financial information.

Last year, after Microsoft blocked macros sourced from the internet by default, threat actors began to experiment with new file formats for infecting victims. Since Microsoft OneNote is installed by default in all Microsoft Office/365 installations, even if a Windows user does not use the application, it is still available to open the file format. As such, since mid-December, security researchers have observed threat actors disseminating malicious spam emails with OneNote attachments. Phishing emails seen by researchers purported to be DHL shipping notifications urging the user to interact with the OneNote attachment. Attackers are exploiting this feature by attaching malicious VBS attachments that automatically launch the script when double-clicked to download malware from a remote site and install it. To obfuscate this, the threat actors overlay a big ‘Double click to view file’ bar over the inserted attachments to hide them. After user interaction, the OneNote files deliver remote access trojans that include information-stealing capabilities. Since this threat spreads via email, one of the best prevention methods is to regularly remind users to be extra vigilant for suspicious emails and to verify attachments with senders before opening. Read more at BleepingComputer.