According to a study by Proofpoint, digital OneNote notebooks (denoted by “.one” extensions) are increasingly being used by cyber-attackers to spread malware. OneNote is included in the Microsoft 365 office software bundle and a widely used piece of software.
OneNote documents are rarely misused in this manner, according to cybersecurity professionals, and there is only one clear reason attackers are experimenting with them: they can more readily avoid threat detection than other attachments. And it seems to be effective.
According to statistics from open-source malware repositories, initially observed attachments were not identified as dangerous by several anti-virus engines. As a result, it is likely that the original campaigns had a high success rate if the email was not stopped, according to Proofpoint.
Proofpoint expanded on the study findings by saying, ”Since Microsoft began blocking macros by default in 2022, threat actors have experimented with many new tactics, techniques, and procedures, including use of previously infrequently observed file types such as virtual hard disk (VHD), compiled HTML (CHM), and now OneNote (.one)."
The phishing emails are attempting to deliver one of several malware payloads, including AsyncRAT, Redline, AgentTesla, and DOUBLEBACK, all of which are designed to steal sensitive information from victims, including usernames and passwords. The phishing emails were first sent in December 2022, with the number significantly increasing in January 2023.
Researchers from Proofpoint also report that a cybercriminal organization they track by the name of TA577has used OneNote in campaigns to distribute Qbot. TA577 operates as an initial access broker, selling stolen usernames and passwords to other cybercriminals, including ransomware gangs, as opposed to stealing data for its own use.
There have been over 60 of these campaigns found so far, and they all have the same traits. Emails and file attachments are connected to topics like invoicing, remittances, shipping, and seasonal themes, such as details on a Christmas bonus, among others.
For instance, attachment names in a phishing letter addressed to targets in the manufacturing and industrial sectors included references to machine parts and specifications, showing that the lure had undergone extensive investigation.
Other OneNote efforts target thousands of potential victims all at once and are a little broader. One of these efforts used fake invoices to target the education industry, while another was more broadly disseminated and promised a Christmas bonus or present to thousands of unsuspecting victims.
The victim must open the email, open the OneNote attachment, and click on any harmful links for the phishing scam to succeed in each instance. OneNote does include a warning message regarding dangerous URLs, but users who have received an email that has been specially tailored to appeal to them or who believe they may be receiving a bonus may attempt to ignore this warning.
Researchers caution that additional cyber-threat groups will probably use this strategy successfully to distribute phishing and malware campaigns because it is expected that these efforts will succeed frequently if the emails are not stopped.
"Proofpoint has increasingly observed OneNote attachments being used to deliver malware. Based on our research, we believe multiple threat actors are using OneNote attachments to bypass threat detections," said researchers, who warn that this is "concerning" because, as demonstrated by TA577, this tactic can become an initial entry point for distributing ransomware, which could cripple a whole organization and its networks.
"This is a phishing technique that convinces a victim to open a document with an embedded malicious attachment and then bypass a security prompt to run the attachment. We encourage customers to practice good computing habits online, including exercising caution when clicking on links to webpages or opening unknown files," a Microsoft spokesperson said.