Microsoft OneNote Documents Delivering Malware

In a continuing sign that threat actors are adapting well to a post-macro world, it has emerged that the use of Microsoft OneNote documents to deliver malware via phishing attacks is on the rise.

Some of the notable malware families that are being distributed using this method include AsyncRAT, RedLine Stealer, Agent Tesla, DOUBLEBACK, Quasar RAT, XWorm, Qakbot, BATLOADER, and FormBook.

Enterprise security firm Proofpoint said it detected over 50 campaigns leveraging OneNote attachments in the month of January 2023 alone.

In some instances, the email phishing lures contain a OneNote file, which, in turn, embeds an HTA file that invokes a PowerShell script to retrieve a malicious binary from a remote server.


Other scenarios entail the execution of a rogue VBScript that's embedded within the OneNote document and concealed behind an image that appears as a seemingly harmless button. The VBScript, for its part, is designed to drop a PowerShell script to run DOUBLEBACK.

"It is important to note, an attack is only successful if the recipient engages with the attachment, specifically by clicking on the embedded file and ignoring the warning message displayed by OneNote," Proofpoint said.

The infection chains are made possible owing to a OneNote feature that allows for the execution of select file types directly from within the note-taking application in what's a case of a "payload smuggling" attack.

"Most file types that can be processed by MSHTA, WSCRIPT, and CSCRIPT can be executed from within OneNote," TrustedSec researcher Scott Nusbaum said. "These file types include CHM, HTA, JS, WSF, and VBS."

Microsoft OneNote

As remedial actions, Finnish cybersecurity firm WithSecure is recommending users block OneNote mail attachments (.one and .onepkg files) and keep close tabs on the operations of the OneNote.exe process.

The shift to OneNote is seen as a response to Microsoft's decision to disallow macros by default in Microsoft Office applications downloaded from the internet last year, prompting threat actors to experiment with uncommon file types such as ISO, VHD, SVG, CHM, RAR, HTML, and LNK.

The aim behind blocking macros is two-fold: To not only reduce the attack surface but also increase the effort required to pull off an attack, even as email continues to be the top delivery vector for malware.


But these are not the only options that have become a popular way to conceal malicious code. Microsoft Excel add-in (XLL) files and Publisher macros have also been put to use as an attack pathway to skirt Microsoft's protections and propagate a remote access trojan called Ekipa RAT and other backdoors.

The abuse of XLL files hasn't gone unnoticed by the Windows maker, which is planning an update to "block XLL add-ins coming from the internet," citing an "increasing number of malware attacks in recent months." The option is expected to be available sometime in March 2023.

When reached for comment, Microsoft told The Hacker News that it had nothing further to share at this time.

"It's clear to see how cybercriminals leverage new attack vectors or less-detected means to compromise user devices," Bitdefender's Adrian Miron said. "These campaigns are likely to proliferate in coming months, with cybercrooks testing out better or improved angles to compromise victims."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.