• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Subscribe
  • Project of the Week
  • About Us
    SEARCH
IT Infrastructure, Network Security, News

Hackers Are Pivoting to OneNote Documents for Malware Delivery

Proofpoint researchers say they have identified an increase in the use of OneNote documents to deliver malware after Microsoft blocks macros.

February 6, 2023 Zachary Comeau Leave a Comment

Atera ESET Integration
stock.adobe.com

Threat actors are increasingly using OneNote documents to deliver malware as Microsoft makes it difficult for them to use other Office documents by blocking macros by default.

Now, hackers are experimenting with other file types, including using virtual hard disk, compiled HTML and OneNote, according to new research from enterprise security software company Proofpoint.

The Sunnyvale, Calif.-based firm says in a new blog that their researchers have noticed an increase in the use of OneNote documents to deliver malware via email to end users. Proofpoint researchers says in December it observed six campaigns using OneNote attachments to deliver AsyncRat malware. In January, Proofpoint observed more than 50 OneNote campaigns with different malware payloads, including AsyncRAT, Redline, AgentTesla and DOUBLEBACK.

The use of OneNote to deliver malware, Proofpoint writes, is unusual. However, it comes as Microsoft continues to take steps to prevent its tools to be used for malicious purposes, such as blocking Office macros by default. Now, attackers are experimenting with different attachment types. Proofpoint came to a similar conclusion in July 2022, saying attackers were already experimenting with other file types when Microsoft first announced the move.

“The technique may be effective for now,” Proofpoint researchers wrote in the Feb. 1 blog. “At the time of analysis, multiple OneNote malware samples observed by Proofpoint were not detected by numerous anti-virus vendors on VirusTotal. Proofpoint continues to assess these activity clusters and does not attribute them to a tracked threat actor.”

The company says malware campaigns leveraging OneNote share similar characteristics, such as unique messages to deliver malware and the lack of threat hijacking. Messages typically contain OneNote attachments with themes such as invoice, remittance, shipping and seasonal themes including Christmas bonuses.

One group, TA577, a cybercrime group tracked by Proofpoint since 2020 that delivers payloads such as Qbot, IceID, SystemBC, SmokeLoader, Ursnif and Cobalt Strike, has been conducting similar campaigns using OneNote since late January.

According to Proofpoint, OneNote documents used maliciously contain embedded files, which are often hidden behind a graphic that looks like a button. When a user double clicks on the embedded file, they are prompted with a warning. If the user clicks “continue,” the file executes.

These malicious OneNote attacks have increased significantly between December 2022 and the end of January 2023. While the company only saw OneNote campaigns deliver AsyncRAT in December, researchers saw seven other malware payloads distributed via OneNote attachments last month, with targets located globally, including in North America and Europe.

Multiple threat actors are believed ot be using the OneNote attachment tactic in an attempt to bypass threat detections, and more sophisticated actors may begin using OneNote attachments soon, Proofpoint concludes.

TA577’s adoption of OneNote is particularly worrisome, as the group is an initial access broker that facilities follow-on infections for additional malware, including ransomware, Proofpoint researchers say.

“Based on data in open-source malware repositories, initially observed attachments were not detected as malicious by multiple anti-virus engines, thus it is likely initial campaigns had a high efficacy rate if the email was not blocked,” the company says, noting that its own customers were protected since Proofpoint detected the malicious emails. “It is likely more threat actors will adopt OneNote attachments to deliver malware.”

Tagged With: Cybersecurity, Malware, OneNote, Proofpoint, ransomware

Related Content:

  • Microsoft Loop IT What You Need to Know About Microsoft Loop
  • YAMAHA UC ADECIA Yealink Yamaha UC Partners With Yealink for Audio &…
  • Microsoft, ChatGPT, GPT-4, GPT-3.5 What’s New With ChatGPT and Generative AI This…
  • CISA Ransomware CISA Wants You To Report Anything You Know…

Free downloadable guide you may like:

  • Four IT Trends That Will Define 2023Expert Series: Four IT Trends That Will Define 2023

    Learn about four key technologies we identified as critical to your IT organization’s success in 2023, as well as how to invest in new innovations emerging from each.

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Get the FREE Tech Decisions eNewsletter

Sign up Today!

Latest Downloads

Four IT Trends That Will Define 2023
Expert Series: Four IT Trends That Will Define 2023

Learn about four key technologies we identified as critical to your IT organization’s success in 2023, as well as how to invest in new innovations ...

Harnessing the Power of Digital Signage
Harnessing the Power of Digital Signage

Choosing the best solutions for messaging, branding, and communicating in today’s content-everywhere landscape

Blueprint Series Cover: What works for hybrid work
Blueprint Series: What Works for Hybrid Work

Download this free resource to learn about how IT leaders can effectively manage and implement a hybrid work model.

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!
Sharp Microsoft Collaboration HQ Logo

Learn More About the
Windows Collaboration Display

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Subscribe to the Newsletter
  • Contact Us
  • Media Solutions & Advertising
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSTERMS OF USEPRIVACY POLICY

© 2023 Emerald X, LLC. All rights reserved.