Microsoft OneNote attachments are used to spread malware

Cybercriminals send malspam containing OneNote attachments

Microsoft OneNote attachments are used to spread malwareOneNote's attachment feature was exploited by hackers to spread malware

Microsoft OneNote is a free digital notebook application that comes with Microsoft Office 2019 and Microsoft 365. Even if a Windows user does not actively use the application, the file format can still be opened because it is installed by default in all Microsoft Office/365 installations. However, cybersecurity researchers have warned that cybercriminals have been sending malicious spam emails[1] with OneNote attachments since mid-December.[2]

These malicious emails masquerade as DHL shipping notifications, invoices, ACH remittance forms, mechanical drawings, and shipping documents. For years, attackers have distributed malware in emails via malicious Word and Excel attachments that launch macros to download and install malware. However, in July, Microsoft disabled macros by default in Office documents, rendering this method untrustworthy for malware distribution.

As a result, attackers started using new file formats like ISO images and password-protected ZIP files. These file formats became more popular as a result of a Windows bug that allowed ISOs to bypass security warnings and the popular 7-Zip archive utility's failure to propagate mark-of-the-web flags to files extracted from ZIP archives. However, both 7-Zip and Windows have recently fixed these bugs, resulting in Windows displaying security warnings when a user tries to open files in downloaded ISO and ZIP formats.

OneNote allows users to insert attachments which was exploited by hackers

OneNote, unlike Word and Excel, does not support macros, which were previously used by threat actors to launch scripts that installed malware. Instead, OneNote allows users to insert attachments into notebooks that will launch the attachment when double-clicked. Threat actors are taking advantage of this feature by attaching malicious VBS attachments that, when double-clicked, launch a script that downloads and installs malware from a remote site.

However, because the attachments appear as a file icon in OneNote, threat actors hide them by placing a large “Double click to view file” bar over the inserted VBS attachments. When the “Click to View Document” bar is moved out of the way, the malicious attachment is revealed to contain multiple attachments. This row of attachments makes it so that if a user double-clicks anywhere on the bar, the attachment will be launched when they do so. Fortunately, when users launch OneNote attachments, the program warns them that doing so may damage their computer and data.

Unfortunately, these types of prompts are frequently ignored, with users simply clicking the OK button. When you click the OK button, the VBS script will start downloading and installing malware. The OneNote files install remote access trojans[3] with information-stealing capabilities.

Follow security measures

Once installed, malware allows threat actors to remotely access a victim's device and steal files, saved browser passwords, screenshots, and, in some cases, record video using webcams. Furthermore, cybercriminals frequently use this type of malware to steal cryptocurrency wallets from victims' devices, making it a costly infection.

Avoiding opening files from unknown sources is the most effective way to protect yourself from malicious attachments. If you open a file by mistake, it's critical not to ignore warnings from the operating system or application.

If you receive a warning that opening an attachment or clicking on a link could harm your computer or files, simply do not press OK and exit the application. If you suspect an email is legitimate, share it with a security or Windows administrator who can help you determine whether the file is safe.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions

Read in other languages