Microsoft OneNote | Breaking Cybersecurity News | The Hacker News

Microsoft has announced plans to automatically block embedded files with "dangerous extensions" in OneNote following reports that the note-taking service is being  increasingly abused  for malware delivery. Up until now, users were shown a dialog warning them that opening such attachments could harm their computer and data, but it was possible to dismiss the prompt and open the files. That's going to change going forward. Microsoft said it intends to prevent users from directly opening an embedded file with a dangerous extension and display the message: "Your administrator has blocked your ability to open this file type in OneNote." The update is expected to start rolling out with Version 2304 later this month and only impacts OneNote for Microsoft 365 on devices running Windows. It does not affect other platforms, including macOS, Android, and iOS, as well as OneNote versions available on the web and for Windows 10. "By default, OneNote blocks the sa

Multiple threat actors have been observed using two new variants of the  IcedID malware  in the wild with more limited functionality that removes functionality related to online banking fraud. IcedID, also known as BokBot, started off as a banking trojan in 2017. It's also capable of delivering additional malware, including ransomware. "The well-known IcedID version consists of an initial loader which contacts a Loader [command-and-control] server, downloads the standard DLL Loader, which then delivers the standard IcedID Bot," Proofpoint  said  in a new report published Monday. One of the new versions is a Lite variant that was  previously highlighted  as being dropped as a follow-on payload by the  Emotet malware  in November 2022. Also newly observed in February 2023 is a Forked variant of IcedID. Both these variants are designed to drop what's called a Forked version of IcedID Bot that leaves out the web injects and backconnect functionality that would typic

As a vCISO, you are responsible for your client's cybersecurity strategy and risk governance. This incorporates multiple disciplines, from research to execution to reporting. Recently, we published a comprehensive playbook for vCISOs, "Your First 100 Days as a vCISO – 5 Steps to Success" , which covers all the phases entailed in launching a successful vCISO engagement, along with recommended actions to take, and step-by-step examples.  Following the success of the playbook and the requests that have come in from the MSP/MSSP community, we decided to drill down into specific parts of vCISO reporting and provide more color and examples. In this article, we focus on how to create compelling narratives within a report, which has a significant impact on the overall MSP/MSSP value proposition.  This article brings the highlights of a recent guided workshop we held, covering what makes a successful report and how it can be used to enhance engagement with your cyber security clients.

A new phishing campaign has set its sights on European entities to distribute Remcos RAT and Formbook via a malware loader dubbed  DBatLoader . "The malware payload is distributed through WordPress websites that have authorized SSL certificates, which is a common tactic used by threat actors to evade detection engines," Zscaler researchers Meghraj Nandanwar and Satyam Singh  said  in a report published Monday. The findings build upon a previous report from SentinelOne last month that detailed phishing emails containing malicious attachments that masquerade as financial documents to activate the infection chain. Some of the file formats used to distribute the DBatLoader payload concern the use of a multi-layered obfuscated HTML file and OneNote attachments. The development adds to  growing abuse  of  OneNote files  as an initial vector for malware distribution since late last year in response to Microsoft's decision to block macros by default in files downloaded f

The notorious Emotet malware, in its  return after a short hiatus , is now being distributed via  Microsoft OneNote email attachments  in an attempt to bypass macro-based security restrictions and compromise systems. Emotet , linked to a threat actor tracked as Gold Crestwood, Mummy Spider, or TA542, continues to be a potent and resilient threat despite attempts by law enforcement to take it down. A  derivative  of the  Cridex   banking worm  – which was  subsequently   replaced  by  Dridex  around the same time GameOver Zeus was disrupted in 2014 – Emotet has  evolved  into a "monetized platform for other threat actors to run malicious campaigns on a pay-per-install (PPI) model, allowing theft of sensitive data and ransom extortion." While Emotet infections have acted as a  conduit  to deliver Cobalt Strike, IcedID, Qakbot, Quantum ransomware, and TrickBot, its return in late 2021 was  facilitated  by means of TrickBot. "Emotet is known for extended periods of ina

In a continuing sign that threat actors are adapting well to a  post-macro world , it has emerged that the use of Microsoft OneNote documents to deliver malware via phishing attacks is on the rise. Some of the notable malware families that are being distributed using this method include AsyncRAT,  RedLine Stealer , Agent Tesla,  DOUBLEBACK , Quasar RAT, XWorm,  Qakbot ,  BATLOADER , and  FormBook . Enterprise security firm Proofpoint said it detected over 50 campaigns leveraging OneNote attachments in the month of January 2023 alone. In some instances, the email phishing lures contain a OneNote file, which, in turn, embeds an HTA file that invokes a PowerShell script to retrieve a malicious binary from a remote server. Other scenarios entail the execution of a rogue VBScript that's embedded within the OneNote document and concealed behind an image that appears as a seemingly harmless button. The VBScript, for its part, is designed to drop a PowerShell script to run DOUBLEBACK