OneNote is a digital note-taking application developed by Microsoft. It allows users to create and organize notes in various formats, including text, images, audio recordings, and video. OneNote files have become a popular alternative to macro-based files, like Word documents, which have become more difficult to distribute due to Microsoft’s patching of vulnerabilities and disabling of macros. OneNote files have been observed containing embedded files, such as HTA, CMD, and JSE binaries, which are used to execute malicious code when the OneNote file is opened.
Phishing campaigns have been observed delivering OneNote files containing malicious files via email or malicious URLs. Once the OneNote file is opened and the embedded file is executed, it downloads a second-stage payload from the attacker’s infrastructure. Recent variants have been observed dropping Emotet and QakBot, which is commonly used to deliver additional payloads such as Cobalt Strike.
It is recommended to use the most recent patches for Microsoft Windows on computers and endpoints, and to avoid opening unknown attachments or visiting unfamiliar URLs. Password security is also important, and switching to two-factor authentication can provide an additional layer of protection. Due to the usage of OneNote in many Microsoft Windows systems and the ubiquity of Microsoft Office globally, as well as the ongoing comprehension and understanding of the ability to abuse OneNote, it is important that organizations prepare themselves and stay on top of any updates concerning malicious use of Microsoft OneNote.
Threat Synopsis – Microsoft OneNote Malware Delivery and Installation
With the efforts by Microsoft to block Excel 4 and VBA macros that are downloaded from the internet by default, threat actors have taken to using Microsoft OneNote to deliver malicious payloads to unsuspecting victims. Among the actors and malware campaigns taking advantage of this technique, Emotet and Qakbot have been some of the most prevalent. These new email campaigns have been using malicious Microsoft OneNote attachments to distribute malware, with the attachments often disguised as guides, invoices, job references, and other types of documents.
The OneNote documents display a message that the document is protected and prompt the user to double-click the “View” button to display it properly. However, actors have been hiding various script files underneath the “View” button, which downloads a DLL or other payload from a remote location and executes it. This leads to the installation of Emotet and other malware, which can steal email, contacts, and await further commands from the command and control server.
While Microsoft OneNote displays a warning when attempting to launch an embedded file, users often click “OK” to get rid of the alert, enabling the malicious script to execute. Microsoft is adding improved protections in OneNote against phishing documents, but there is no specific timeline for when this will be available to everyone. However, Windows admins can configure group policies to protect against malicious OneNote files by either blocking embedded files altogether or specifying specific file extensions to be blocked from running.
Due to this Microsoft OneNote method being a relatively new, and with additional information about the threat actors using it and the methods of which they use it being discovered, Cyborg Security will be updating the Threat Hunt Packages as more information is identified.