Malicious use of Microsoft OneNote documents on the rise

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

The use of Microsoft OneNote documents to distribute malware to unsuspecting users is picking up pace, cybersecurity researchers from Proofpoint have claimed.

OneNote is Microsoft’s digital note-taking app, which comes as part of the Office productivity suite. As such, cybercriminals can assume that most of their victims already have the app installed on their endpoints

OneNote’s files, called NoteBooks, allow users to add attachments, which can download malware from remote locations. All users need to do is double-click the file, which they can be easily tricked into doing. Recent reports saw hackers distribute blurred NoteBooks with the message “double-click to view the contents”, tricking victims into believing the file’s contents are being protected. 

Low detection rates

In a detailed report published on the company blog earlier this week, Proofpoint’s researchers said they identified six campaigns in December 2022, using OneNote to deliver the AsyncRAT malware.

A month later, in January 2023, they discovered more than 50 campaigns. Besides AsyncRAT, the crooks were delivering Redline Stealer, AgentTesla, and DOUBLEBACK. More recently, the threat actor known as TA577 used it to deliver Qbot. 

Proofpoint’s researchers believe hackers turning to OneNote is in fact the result of extensive research. After experimenting with different attachment types, they settled on OneNote as so far, the detection rates are minimal.

At press time, Proofpoint says that “multiple” malware samples were not getting detected by antivirus vendors on VirusTotal. 

The best way to protect against these attacks is the same as it always was - educate your employees not to download attachments and click on email links from people they don’t know, don’t trust, or whose identity cannot be confirmed. Also, they should be educated not to ignore warning messages prompted in programs such as Word, Excel, or OneNote. Other than that, having a strong antivirus solution, and a firewall, is welcome. 

Finally, activating multi-factor authentication (MFA) wherever possible greatly reduces the chances of more serious compromise. 

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.