There are plenty of phish in the digital sea, and attackers are constantly looking for new bait that helps them bypass security perimeters and land in user inboxes.

Their newest hook? OneNote documents. First noticed in December 2022, this phishing framework has seen success in fooling multiple antivirus (AV) tools by using .one file extensions, and January 2023 saw an attack uptick as compromises continued.

While this novel notes approach will eventually be phased out as phishing defenses catch up, current conditions make it worthwhile to understand how this attack works, what it means for organizations and what they can do to stay safe.

From Many to .One — the Impact of Macro-Economics

In July 2022, Microsoft disabled macros by default in all Office document types. Despite a temporary rollback in response to user concerns, auto-blocking of macros is now standard operating practice. While users can enable them after the fact, malicious actors can no longer rely on macros to make their phishing efforts easier.

To combat this cybersecurity change, attackers went looking for a new approach and found it in OneNote documents. For cyber criminals, the benefits of OneNote are two-fold. The first is novelty: Businesses aren’t expecting attacks in .one files. Next is efficacy: As noted by ZDNET, multiple AV tools did not flag OneNote attachments as malicious, even when they contained malware payloads.

How OneNote Malware Works

The first OneNote attacks were discovered in December 2022 as attackers experimented with new phishing methods. As of February 2023, more than 60 attacks were confirmed on companies in the manufacturing, industrial and education sectors.

Common payloads attached to malicious documents include AsyncRAT, AgentTesla, Doubleback and Redline. Malicious actors also created a mix of specific and general compromise campaigns. In the case of industrial and manufacturing firms, attachments appeared to be documents containing details about machine parts or specifications. Educational institutions were on the receiving end of more widespread campaigns that included fictitious invoices or offers of Christmas bonuses.

Despite the new file format, OneNote phishing attacks play out much like their more familiar counterparts. Victims must open the email message, open the attachment and then click through on malicious links. While OneNote does warn users about the risk of suspicious document links, this doesn’t always have the intended effect. Consider that 45% of all alerts are false positives and that one-third of IOT security staff ignore alerts if their queue is already full. Given that even security professionals don’t always investigate potential problems because they’re too busy or perceived threats may simply be common errors, it’s hardly surprising that front-line staff feel confident clicking through to OneNote documents despite system warnings.

Once inside a company’s network, malicious payloads delivered by OneNote documents can find, collect and exfiltrate sensitive data, including usernames, passwords and protected files.

Duck, Duck, Lose

Efforts are also underway to expand the impact of OneNote attacks by bundling documents with the QBot malware payload. Originally a banking trojan discovered in 2007, QBot — also called QakBot — has evolved into an initial access framework. As part of a phishing campaign, it takes on the task of gaining initial device access, in turn enabling attackers to load and execute additional malware payloads.

As noted by SC Magazine, a cyber crime group known as TA577 has leveraged QBot-based attacks to gain system access, then steal and sell collected data to other cyber criminals. Known as QakNote, this new attack approach has quickly gained ground. Since early February, attackers have pressed their advantage to hook as many phish as possible before the pond dries up.

In practice, QBot attacks start with an embedded HTML application (HTA) that retrieves QBot when users click on malicious links. Then, an HTA script uses the curl.exe application to download a DLL file that contains QBot. This file is placed in the C:\ProgramData folder and executed using Rundll32.exe. Finally, the payload injects itself into the Windows Assistive Technology file — AtBroker.exe — to conceal itself from security tools.

Foiling the Phish

Recognizing OneNote issues is the first step in reducing risk. But what else can companies do to limit the chance of compromise?

Thankfully, the novel nature of the note attack doesn’t change the overall security strategy. First, companies need to implement robust spam filters to keep the bulk of potentially problematic emails out of user inboxes. This approach works well because it doesn’t just emphasize detecting the malicious nature of OneNote documents. Rather, it focuses on identifying messages as spam, which is often a more straightforward task.

Next is cybersecurity education which focuses on secure computing habits. While this includes reminders to heed security warnings, it’s also critical for companies to offer more proactive advice that helps staff spot phishing efforts more easily. As social engineering efforts become more in-depth, this education is shifting away from more generic recommendations such as seeking out grammar or spelling errors. Instead, it takes a more considered approach that focuses on questions. Common questions for staff include: Why am I receiving this email? Do I know the sender? Was I asking for these documents? What action are they asking me to take? It’s also worth running regular phishing exercises to see if staff can spot security risks before they click through.

Slow and Steady

Lastly, enterprises need to prioritize the value of slowing down when it comes to improving security. This is because company culture often prioritizes speed. Staff want to meet deadlines and avoid setbacks on current projects, meaning that potential security threats may be sidelined in favor of keeping tasks on track. To address this, IT teams need to seek out C-suite support for policies that require staff to report potential problems and make it clear that this reporting takes priority over other tasks. It’s also worth implementing a system that allows staff to quickly flag emails for IT review.

Bottom line? Security teams need to take note and take action. The shift away from macro-based malware may have closed one digital door, but it opened a window for new phishing frameworks.

More from Risk Management

Security Awareness Training 101: Which Employees Need It?

4 min read - To understand why you need cybersecurity awareness training, you must first understand employees' outsized roles in security breaches. “People remain — by far — the weakest link in an organization’s cybersecurity defenses,” noted Verizon on the release of their 2022 Data Breach Investigations Report (DBIR). They elaborate that 25% of all breaches covered in the report were the result of social engineering attacks, and when you add human errors and misuse of privilege, the human element accounts for 82% of…

4 min read

Secure-by-Design: Which Comes First, Code or Security?

4 min read - For years, developers and IT security teams have been at loggerheads. While developers feel security slows progress, security teams assert that developers sacrifice security priorities in their quest to accelerate production. This disconnect results in flawed software that is vulnerable to attack. While advocates for speed and security clash, consumers must often pay the price when threat actors strike. 48% of developers admitted they were still shipping code with vulnerabilities in 2022. It’s clearly time for a change. Many believe…

4 min read

Will Commercial Spyware Survive Biden’s Executive Order?

4 min read - On March 27, 2023, reports surfaced that 50 U.S. government employees had been targeted by phone spyware overseas. On the day of that report, President Joe Biden signed an executive order to restrict federal agencies’ use of commercial spyware. The timing of the order was linked to this specific phone-targeting exploit. But spyware infiltration of government officials — and by government officials — has been a recurring problem globally. Commercial spyware has long been entwined with statecraft and spycraft, both…

4 min read

How to Boost Cybersecurity Through Better Communication

4 min read - Security would be easy without users. That statement is as absurd as it is true. It’s also true that business wouldn’t be possible without users. It’s time to look at the big picture when it comes to cybersecurity. In addition to dealing with every new risk, vulnerability and attack vector that comes along, cybersecurity pros need to understand their own fellow employees - how they think, how they learn and what they really want. The human element — the individual and…

4 min read