Attackers Exploit Microsoft OneNote Attachments to Steal Credentials and Spread Malware

Microsoft documents have fallen prey to phishing attacks, and adversaries are continuously looking for new ways to disseminate malicious strains. Security vulnerabilities compromising Microsoft products frequently cause a stir in the cyber threat arena, affecting a broad number of users, like in the case Follina zero-day flaw and CVE-2022-22005.

Security researchers inform the global cyber defender community that hackers leverage Microsoft OneNote attachments in recent cyber attacks as a lure in phishing emails to install malware and gain unauthorized access to users’ sensitive data.

Detect Cyber Attacks Abusing OneNote Attachments

Cyber defenders are striving to be ultra-responsive to proactively defend against emerging threats and adversary TTPs. While threat actors are constantly experimenting with new attack vectors and tricky ways to spread malware, implementing proactive cyber defense practices can help organizations remediate any threats in a more efficient way. 

SOC Prime Platform aggregates a batch of Sigma rules to help security engineers timely identify the infection related to the OneNote attachments spread in phishing emails. All the detection content is compatible with 25+ SIEM, EDR, BDP, and XDR solutions and is mapped to the MITRE ATT&CK® framework v12.

Press the Explore Detections button below to access the full list of relevant detection content, accompanied by extensive metadata and CTI references.

Explore Detections

Microsoft OneNote Exploitation: Attack Analysis

Microsoft OneNote application, a widely-used desktop digital utility included in the Microsoft Office 2019 and Microsoft 365 packages, is currently being abused by attackers to launch phishing-based malware attacks. 

The infection chain starts by clicking a lure attachment, which launches a script and installs malware from remote websites. Trustwave SpiderLabs’ researchers have been observing the malicious activity abusing OneNote attachments since mid-December 2022, and the first warning bells concerning the vulnerability came from a tweet by Perception Point Attack Trends. According to cybersecurity researchers, the malware distributed via phishing emails and containing malicious spam (malspam) OneNote attachments can steal credentials to target cryptocurrency wallets and deploy other malware samples.

Microsoft no longer applies macros in its Office files, leaving hackers no chance to exploit Excel and Word documents to spread malicious strains. However, unlike Excel and Word, OneNote doesn’t support macros. The attack investigation reveals that most phishing emails apply a lure prompting potential victims to double-click the Trojanized attachment. Once clicked, it launches the malicious Visual Basic Script, which establishes communication with a remote server and attempts to install other malware, including a set of Trojans. The revealed malspam emails frequently impersonate shipping documents, invoices, and drawings. 

As potential mitigation measures, OneNote users are recommended to enable multi-factor authentication, use antivirus protection, and follow the best security practices for preventing phishing attacks.  

Given a constantly growing volume of cyber attacks abusing legitimate tools, which are used by thousands of users globally, security professionals require a reliable source of detection content to stay ahead of novel malicious tricks and approaches. Browse socprime.com to search for Sigma rules against current and emerging threats, including over 9,000 ideas for Detection Engineering and Threat Hunting along with comprehensive cyber threat context. Or upgrade to On Demand to unlock access for Premium Sigma rules to have the most relevant detections at hand and shave seconds off threat hunting operations.