There are plenty of phish in the digital sea, and attackers are constantly looking for new bait that helps them bypass security perimeters and land in user inboxes.
Their newest hook? OneNote documents. First noticed in December 2022, this phishing framework has seen success in fooling multiple antivirus (AV) tools by using .one file extensions, and January 2023 saw an attack uptick as compromises continued.
While this novel notes approach will eventually be phased out as phishing defenses catch up, current conditions make it worthwhile to understand how this attack works, what it means for organizations and what they can do to stay safe.
From Many to .One — the Impact of Macro-Economics
In July 2022, Microsoft disabled macros by default in all Office document types. Despite a temporary rollback in response to user concerns, auto-blocking of macros is now standard operating practice. While users can enable them after the fact, malicious actors can no longer rely on macros to make their phishing efforts easier.
To combat this cybersecurity change, attackers went looking for a new approach and found it in OneNote documents. For cyber criminals, the benefits of OneNote are two-fold. The first is novelty: Businesses aren’t expecting attacks in .one files. Next is efficacy: As noted by ZDNET, multiple AV tools did not flag OneNote attachments as malicious, even when they contained malware payloads.
How OneNote Malware Works
The first OneNote attacks were discovered in December 2022 as attackers experimented with new phishing methods. As of February 2023, more than 60 attacks were confirmed on companies in the manufacturing, industrial and education sectors.
Common payloads attached to malicious documents include AsyncRAT, AgentTesla, Doubleback and Redline. Malicious actors also created a mix of specific and general compromise campaigns. In the case of industrial and manufacturing firms, attachments appeared to be documents containing details about machine parts or specifications. Educational institutions were on the receiving end of more widespread campaigns that included fictitious invoices or offers of Christmas bonuses.
Despite the new file format, OneNote phishing attacks play out much like their more familiar counterparts. Victims must open the email message, open the attachment and then click through on malicious links. While OneNote does warn users about the risk of suspicious document links, this doesn’t always have the intended effect. Consider that 45% of all alerts are false positives and that one-third of IOT security staff ignore alerts if their queue is already full. Given that even security professionals don’t always investigate potential problems because they’re too busy or perceived threats may simply be common errors, it’s hardly surprising that front-line staff feel confident clicking through to OneNote documents despite system warnings.
Once inside a company’s network, malicious payloads delivered by OneNote documents can find, collect and exfiltrate sensitive data, including usernames, passwords and protected files.
Duck, Duck, Lose
Efforts are also underway to expand the impact of OneNote attacks by bundling documents with the QBot malware payload. Originally a banking trojan discovered in 2007, QBot — also called QakBot — has evolved into an initial access framework. As part of a phishing campaign, it takes on the task of gaining initial device access, in turn enabling attackers to load and execute additional malware payloads.
As noted by SC Magazine, a cyber crime group known as TA577 has leveraged QBot-based attacks to gain system access, then steal and sell collected data to other cyber criminals. Known as QakNote, this new attack approach has quickly gained ground. Since early February, attackers have pressed their advantage to hook as many phish as possible before the pond dries up.
In practice, QBot attacks start with an embedded HTML application (HTA) that retrieves QBot when users click on malicious links. Then, an HTA script uses the curl.exe application to download a DLL file that contains QBot. This file is placed in the C:\ProgramData folder and executed using Rundll32.exe. Finally, the payload injects itself into the Windows Assistive Technology file — AtBroker.exe — to conceal itself from security tools.
Foiling the Phish
Recognizing OneNote issues is the first step in reducing risk. But what else can companies do to limit the chance of compromise?
Thankfully, the novel nature of the note attack doesn’t change the overall security strategy. First, companies need to implement robust spam filters to keep the bulk of potentially problematic emails out of user inboxes. This approach works well because it doesn’t just emphasize detecting the malicious nature of OneNote documents. Rather, it focuses on identifying messages as spam, which is often a more straightforward task.
Next is cybersecurity education which focuses on secure computing habits. While this includes reminders to heed security warnings, it’s also critical for companies to offer more proactive advice that helps staff spot phishing efforts more easily. As social engineering efforts become more in-depth, this education is shifting away from more generic recommendations such as seeking out grammar or spelling errors. Instead, it takes a more considered approach that focuses on questions. Common questions for staff include: Why am I receiving this email? Do I know the sender? Was I asking for these documents? What action are they asking me to take? It’s also worth running regular phishing exercises to see if staff can spot security risks before they click through.
Slow and Steady
Lastly, enterprises need to prioritize the value of slowing down when it comes to improving security. This is because company culture often prioritizes speed. Staff want to meet deadlines and avoid setbacks on current projects, meaning that potential security threats may be sidelined in favor of keeping tasks on track. To address this, IT teams need to seek out C-suite support for policies that require staff to report potential problems and make it clear that this reporting takes priority over other tasks. It’s also worth implementing a system that allows staff to quickly flag emails for IT review.
Bottom line? Security teams need to take note and take action. The shift away from macro-based malware may have closed one digital door, but it opened a window for new phishing frameworks.