Post-Macro World Sees Rise in Microsoft OneNote Documents Delivering Malware
Feb 03, 2023
Attack Vector / Endpoint Security
In a continuing sign that threat actors are adapting well to a post-macro world , it has emerged that the use of Microsoft OneNote documents to deliver malware via phishing attacks is on the rise. Some of the notable malware families that are being distributed using this method include AsyncRAT, RedLine Stealer , Agent Tesla, DOUBLEBACK , Quasar RAT, XWorm, Qakbot , BATLOADER , and FormBook . Enterprise security firm Proofpoint said it detected over 50 campaigns leveraging OneNote attachments in the month of January 2023 alone. In some instances, the email phishing lures contain a OneNote file, which, in turn, embeds an HTA file that invokes a PowerShell script to retrieve a malicious binary from a remote server. Other scenarios entail the execution of a rogue VBScript that's embedded within the OneNote document and concealed behind an image that appears as a seemingly harmless button. The VBScript, for its part, is designed to drop a PowerShell script to run DOUBLEBACK