Executive Summary

Malicious OneNote file attachments in phishing emails are beginning to increase in January 21, 2023 as a new attack vector to replace malicious macros in Office documents that Microsoft disabled in July 2022, leaving threat actors with fewer options to execute code on targets’ devices.

Microsoft OneNote is a desktop digital notebook application that can be downloaded for free and is included in Microsoft Office 2019 and Microsoft 365.Unlike Word and Excel, OneNote does not support macros, which is how threat actors previously launched scripts to install malware. Instead, OneNote allows users to insert attachments into a NoteBook that, when double-clicked, will launch the attachment.

Threat actors are abusing this feature by embedding almost any file type when creating malicious OneNote documents, including VBS attachments or LNK files. These are then executed when a user double-clicks on the embedded attachment in a OneNote Notebook.

Example of delivered OneNote attachment contains malicious BAT file that execute QakBot :

Malware Execution Flow

1. A Qakbot-transmitted malspam with a OneNote attachment

2. Clicking the “Open” button embedded in the OneNote page to executes the QakBot malware downloader. The decoded script from the .hta that performs the payload download :

3. QakBot execution. This script code passes a hardcoded URL to the curl.exe application, which retrieves the file at the other end. The samples on the servers had image-format file suffixes, such as .png or .gif, but they were actually DLLs. The script then copies the downloaded file to the C:\ProgramData folder and then launches the DLL using the function “Wind” in the command to execute it.On this test system, the Qakbot malware payload injected itself into AtBroker.exe, the Windows Assistive Technology manager, a standard Windows application.

Protection and Mitigation

• Ensure antivirus signatures are up-to-date.
• Confirm endpoint detection and response technology are deployed across all endpoints.
• If not required for legitimate business purposes, consider blocking OneNote attachments in emails.
• Train users to identify and report potentially malicious content.
• Users should specifically be aware of the threat of OneNote documents for malware delivery.