Making notes is part and parcel of any working day, so it’s fantastic that we have apps such as Microsoft’s OneNote. Except when it opens you up to malware.
Part of the Microsoft Office suite, OneNote is an app which allows you to create notes and store them in one central location. Therefore, you can create text documents, drawings and tables on a blank canvas and then access them from any location. While it has proved popular with business users, it has also been readily adopted by threat actors for malicious means. And this is because OneNote also allows you to share its files – known as notebooks – with other users. Accordingly, malicious software has been able to spread.
How Has OneNote Been Compromised?
The malware risk with OneNote has been growing for some time and can be evidenced by the following attacks:
- Qbot: Active in the digital landscape since 2007, Qbot began being passed around via OneNote notebooks in January 2023. These notebooks were distributed, at first, through a series of malicious spam email campaigns where embedded links redirected users to the malicious notebooks. However, it also turned out that existing email threads were being hijacked, with malicious notebooks being attached to trick the recipients. With Qbot activated, threat actors were able to steal data and download further malware.
- AsyncRAT: Posing as Canadian fuel provider Ultramar, threat actors sent phishing emails to recipients which contained ‘invoices’ in the form of notebooks. These invoices, though, were far from genuine. In fact, all they contained was the AsyncRAT malware. And, once activated, AsyncRAT would provide remote access to threat actors. This means that they would have the power to steal data, download further malware onto infected systems and compromise networks.
- Formbook: In December 2022, it was discovered that the information stealing malware Formbook had been at the heart of another OneNote campaign. Using phishing methods, the Formbook malware was observed as part of an email claiming to be a customer seeking a quote. The attached notebook file was used to activate a Windows Script File which, in turn, unleased Formbook’s malicious activity. Again, Formbook was primarily used as a data thief, stealing data from website forms, clipboards, and keystrokes.
Staying Safe from OneNote Attacks
With OneNote’s notebooks becoming a popular method for cyber-attacks, it’s crucial you understand how to deal with them. Therefore, make sure you practice the following:
- Block notebook files: If your organization doesn’t use OneNote files, the best thing to do is block notebook files in your email servers. This will minimize the risk of these attachments appearing in your employees’ inboxes and ensure the malware can’t be activated.
- Understand what phishing is: With over 255 million phishing attacks in just six months in 2022, it’s clear to see that phishing poses a credible threat. This means it’s vital your organization understands how phishing campaigns work and the best ways to defend against them.
For more ways to secure and optimize your business technology, contact your local IT professionals.
