Hackers Are Now Using Microsoft OneNote Attachments to Spread Malware

Cybercriminals are now using OneNote attachments to spread remote access malware and to steal personal passwords, as well as cryptocurrency wallets. 

Black hat hackers have a years-long history of using Microsoft Word and Excel to spread malware with the help of macros. But since Microsoft disabled the program by default, threat actors are targeting Microsoft’s OneNote program. 

After a series of security updates, malicious parties quickly navigated through the new challenges, and they’re now using delivery-related phishing emails to target unsuspecting internet users. 

Think Twice About OneNote Attachments

OneNote is a frequently used software that’s now part of the Microsoft 365 suite. Due to its feature-rich interface and ability to support text, drawing, and mind-mapping, it’s a go-to program for many students and professionals.

Cybersecurity professionals have issued warnings about malware spread through OneNote attachments in phishing emails. As early as December 2022, Trustwave SpiderLabs warned that threats actors were spreading malware through OneNote. Another warning came through a Tweet by Perception Point Attack Trends on January 10. 

Image of Tweet from Perception Point Attack Trends
Twitter can also be a force of good, especially in situations where fast communication is crucial.

Microsoft is no stranger to exploits. For years, cybercrooks have been exploiting Word and Excel to spread malware. These two offer a lot of leverage since running them automatically launches macros: scripts that can be used for a variety of purposes… including the download and installation of malicious software.

In July, Microsoft decided to make it more difficult for hackers to exploit users by setting macros to disabled by default. As such, cybercriminals could no longer depend on using this exploit as a reliable means of distributing malware. 

After Microsoft disabled macros, threat actors switched to using ISO and password-protected 7-Zip files to infect devices. This was a convenient delivery method due to another Microsoft bug (this time in Windows) that allows such file types to bypass mark-of-the-web notifications. 

Image of Mark-of-the-web security warning
MoTW warnings notify you about potentially harmful files.

In a joint effort, the bug was addressed both by Windows and 7-Zip, so device owners would be warned before downloading or opening potentially harmful files. Threat actors quickly adapted to the continuous challenges set against them and that;s how we got to OneNote. 

While OneNote is still a popular Microsoft program, it doesn’t support macros. As such, Microsoft’s changes don’t stop users from accidentally opening malware-containing .one files – OneNote makes it possible to add attachments to a notebook, and when these are double-clicked, they launch automatically. Cybercriminals have been using this exploit, essentially sending .one files with attachments that run malicious scripts when double-clicked.

Example of malicious double-click option in OneNote
Image by BleepingComputer

Luckily, you should receive a warning when downloading OneNote files about potential harm to your device… unfortunately, these warnings are often disregarded and curiosity reigns supreme. 

What Type of Emails Are Threat Actors Sending?

According to a report by Bleeping Computer, the malspam phishing emails are mostly pretending to be from DHL shipping, a global delivery company. The emails falsely notify users about invoices, shipping documents, and address confirmation requests. This is a notorious social engineering tactic that continues to be effective.

Since people receiving these emails are deceptively led to believe they have a delivery pending, they’re often enticed to open the file. Phishing emails pose serious risk as they can infect devices with remote access password-stealing malware that can also steal cryptocurrency wallets. 

How to Protect Yourself From Cyber Attacks

It’s not always easy to tell malspam from genuine emails. And the consequences of a mistake can be quite serious. For some, cybercrime is a full-time profession, which means they have no shortage of ways to exploit unsuspecting netizens.

Between social engineering attacks, fake app scams, and attacks launched through free Wi-Fi, the internet of today is a much more dangerous place than it used to be. And we didn’t even get to the slew of romance scams present on online dating apps.

Pro tip: If you want to stay safe online, don’t open anything attached to an email unless you trust the sender 100%.

Masking your IP address with a VPN can keep your data safe and protect you from public Wi-Fi attacks. VPN encryption scrambles your data making it incomprehensible to hackers snooping on a shared Wi-Fi network. They also conceal activity from you network provider or Wi-Fi owner, so they can’t see what you’re up to online.

However, VPNs can’t protect you when you agree to open malicious links. In today’s digital landscape, it helps to be educated about cyber threats.

CyberGhost VPN uses state-of-the-art military-grade encryption to prevent your data from and getting into the wrong hands. Get CyberGhost VPN and stay safe online.

Leave a comment

Write a comment

Your email address will not be published. Required fields are marked*