>
The use of Microsoft OneNote documents to distribute malware to unsuspecting users is gaining momentum, say cybersecurity researchers at Proofpoint.
OneNote is Microsoft’s digital note-taking app, which is part of the Office productivity suite. Cybercriminals can therefore assume that most of their victims have already installed the app on their endpoints.
OneNote’s files, called NoteBooks, allow users to add attachments, which can download malware from remote locations. All users have to do is double-click the file, which they can easily be tricked into doing. According to recent reports, hackers distributed faded notebooks with the message “double click to view contents”, tricking victims into believing that the contents of the file were protected.
Low detection rates
In a detailed report published on the company blog earlier this week, Proofpoint researchers said they had identified six campaigns by December 2022 that used OneNote to deliver the AsyncRAT malware.
A month later, in January 2023, they discovered more than 50 campaigns. In addition to AsyncRAT, the crooks provided Redline Stealer, AgentTesla, and DOUBLEBACK. More recently, the threat actor known as TA577 used it to deliver Qbot.
The researchers at Proofpoint believe that hackers turning to OneNote are, in fact, the result of extensive research. After experimenting with different types of attachments, they chose OneNote because the detection rates have been minimal so far.
At the time of writing, Proofpoint says “several” malware samples were not detected by antivirus vendors on VirusTotal.
The best way to protect against these attacks is the same as always: teach your employees not to download attachments or click on email links from people they don’t know, don’t trust, or whose identity cannot be confirmed. They should also be trained not to ignore warning messages prompted by programs such as Word, Excel, or OneNote. Aside from that, having a strong antivirus solution and a firewall is welcome.
Finally, activating multi-factor authentication (MFA) where possible greatly reduces the chance of a more serious compromise.