Multiple threat actors are now using OneNote documents to deliver malware. In the last month alone, over 50 OneNote campaigns delivering different malware payloads through email attachments have been observed.
What is the threat?
According to recent reports, and behavior observed by Barracuda SOC, malicious actors are now engaging in malware campaigns using Microsoft OneNote documents. In December 2022, there were just six campaigns identified using OneNote to deliver AsyncRAT malware. A month later, reports claim, more than 50 campaigns were seen delivering Redline Stealer, AgentTesla, and DOUBLEBACK. Most notably, threat actor TA577 used OneNote to deliver Qbot near the end of January 2023.
OneNote’s files, called NoteBooks, allow users to add attachments, which can download malware from the threat actor. The OneNote documents contain embedded files, often disguised or hidden behind a graphic that looks like a button. If the user double-clicks the embedded file they’ll be prompted with a warning. If they continue, the file –which could be any sort of executable, such as LNK, HTA, or WSF files —will execute.
Barracuda XDR Endpoint Security with SentinelOne observed multiple malicious .one files killed and quarantined in customer environments. None of the hash values of the malicious files were flagged by VirusTotal, which highlights the importance of behavioral-based endpoint protection. Unlike traditional AV software that relies heavily on signature-based detection methods, SentinelOne was able to immediately identify suspicious behavior and remediated the threat.
Why is it noteworthy?
When Microsoft began blocking macros by default in January 2022, threat actors needed to find new ways to deliver malware. In July 2022, the percentage of Office malware had dropped substantially. In an effort to find new vectors to distribute malware, attackers tried other file types, such as LNK, RAR, IMG, and ISO files. As malicious parties do more research on the best delivery method, different file types will come and go. Malicious OneNote files may be here to stay, at least for now. At the time of publication, none of the OneNote hash values observed by Barracuda XDR were detected by security vendors on VirusTotal.
What is the exposure or risk?
While the method of delivery may be new, phishing emails are a tale as old as time. Those most at risk to this new tactic will be those that don’t invest in security awareness training. A company may orchestrate the largest of security efforts, utilizing the latest and greatest technology in cyber security. Human error will always be the biggest security risk.
What are the recommendations?
Barracuda MSP recommends the following actions to help prevent these types of attacks:
- Educate your employees:
- Do not click on email links or download attachments from unknown or untrustworthy senders.
- Do not ignore warning messages in programs such as Word, Excel, or OneNote. Warnings are annoying on purpose!
- Utilize phishing awareness training campaigns to test employees’ safe email habits.
- Activate multi-factor authentication (MFA) wherever possible. Up to 99% of data breaches can be prevented if employees are protected by MFA.
- Practice basic cybersecurity hygiene. This includes proactive, 24x7x365 monitoring, defense in-depth cybersecurity strategy, and Security Operations Center (SOC). Implementing advanced endpoint protection, such as Barracuda XDR Endpoint Security, can mitigate any malware files such as these OneNote documents before they infect the user’s system.
- Barracuda SOC Team has developed and activated a new rule to monitor for this threat. Our customers will be alerted when this threat is detected within their environment.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.crn.com/news/security/microsoft-onenote-evernote-phishing-attacks-are-threat-to-msps
- https://www.techradar.com/news/malicious-use-of-microsoft-onenote-documents-on-the-rise
- https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/
If you have any questions, please contact our Security Operations Center.