and it’s working. 
by rick richardson
cybercriminals are experimenting with a new method of delivering dangerous payloads and employing targeted phishing emails to infect users with malware.
according to a study by proofpoint, digital onenote notebooks (denoted by “.one” extensions) are increasingly being used by cyber-attackers to spread malware. onenote is included in the microsoft 365 office software bundle and is a widely used piece of software.
more tech this week: chatgpt: what it is. why you need to know. | russia-linked ransomware back with a vengeance | amazon aws: the mainframe killer? | amazon launching its first internet satellites | russian solarwinds hackers at it again | nasa finds a $10 quintillion asteroid | firms must balance benefits, risks of emerging technology | microsoft and google go to war
exclusively for pro members. log in here or 2022世界杯足球排名 today.
onenote documents are rarely misused in this manner, according to cybersecurity professionals, and there is only one clear reason attackers are experimenting with them: they can more readily avoid threat detection than other attachments. and it seems to be effective.
according to statistics from open-source malware repositories, initially observed attachments were not identified as dangerous by several anti-virus engines. as a result, the original campaigns likely had a high success rate if the email was not stopped, according to proofpoint.
proofpoint expanded on the study findings by saying, ”since microsoft began blocking macros by default in 2022, threat actors have experimented with many new tactics, techniques, and procedures, including use of previously infrequently observed file types such as virtual hard disk (vhd), compiled html (chm), and now onenote (.one).”
the phishing emails are attempting to deliver one of several malware payloads, including asyncrat, redline, agenttesla, and doubleback, all of which are designed to steal sensitive information from victims, including usernames and passwords. the phishing emails were first sent in december 2022, with the number significantly increasing in january 2023.
researchers from proofpoint also report that a cybercriminal organization they track by the name of ta577 has used onenote in campaigns to distribute qbot. ta577 operates as an initial access broker, selling stolen usernames and passwords to other cybercriminals, including ransomware gangs, as opposed to stealing data for its own use.
there have been over 60 of these campaigns found so far, and they all have the same traits. emails and file attachments are connected to topics like invoicing, remittances, shipping and seasonal themes, such as details on a christmas bonus, among others.
for instance, attachment names in a phishing letter addressed to targets in the manufacturing and industrial sectors included references to machine parts and specifications, showing that the lure had undergone extensive investigation.
other onenote efforts target thousands of potential victims simultaneously and are a little broader. one of these efforts used fake invoices to target the education industry, while another was more broadly disseminated and promised a christmas bonus or present to thousands of unsuspecting victims.
the victim must open the email, open the onenote attachment, and click on any harmful links for the phishing scam to succeed in each instance. onenote does include a warning message regarding dangerous urls. still, users who have received an email that has been specifically tailored to appeal to them may attempt to ignore this warning.
researchers caution that additional cyber-threat groups will probably use this strategy successfully to distribute phishing and malware campaigns because it is expected that these efforts will frequently succeed if the emails are not stopped.
“proofpoint has increasingly observed onenote attachments being used to deliver malware. based on our research, we believe multiple threat actors are using onenote attachments to bypass threat detections,” said researchers, who warn that this is “concerning” because, as demonstrated by ta577, this tactic can become an initial entry point for distributing ransomware, which could cripple an entire organization and its networks.
“this is a phishing technique that convinces a victim to open a document with an embedded malicious attachment and then bypass a security prompt to run the attachment. we encourage customers to practice good computing habits online, including exercising caution when clicking on links to webpages or opening unknown files,” a microsoft spokesperson said.