Microsoft to boost protection against malicious OneNote documents
Microsoft has announced that, starting in April 2023, they will be adding enhanced protection when users open or download a file embedded in a OneNote document – a known high-risk phishing file type.
“Users will receive a notification when the files seem dangerous to improve the file protection experience in OneNote on Windows,” the company said.
A popular technique for malware delivery
When last July Microsoft started blocking VBA macros from running by default in Office files obtained from the internet, attackers began using container file formats (ISO, RAR, ZIP) and IMG files to deliver LNKs, DLLs, or executables to install malicious payloads on the target’s computer.
The reason for the switch was that they did not – at the time – show security warnings when victims tried to open them. And even some less popular malware delivery techniques, such as HTML smuggling, started gaining ground.
But by the beginning of 2023, it became obvious that attackers have also begun to rely on trojanized OneNote documents to deliver a variety of malware.
🧵
➡️ Malspam mail being delivered with attached onenote document
➡️ Onenote attachment contains a button that once clicked, it executes exported file located in: "C:\Users\user\AppData\Local\Temp\OneNote\16.0\Exported\{UUID}\NT\0" [1/3] pic.twitter.com/s6S7m18Fqo— Perception Point Attack Trends (@AttackTrends) January 10, 2023
Usually the OneNote docs contain embedded files, often hidden behind a button graphic. When the user clicks the embedded file, they see a warning. If the user clicks continue, the file executes. The file might be different kinds of EXEs, LNKs, or script files such as HTA or WSF.
— Threat Insight (@threatinsight) February 1, 2023
What is Microsoft OneNote, and why do attackers love OneNote docs?
OneNote is note-taking software that’s included in the Microsoft Office suite. It is designed to gather information in different formats: text, images, audio commentary, video clips.
These notes can be used by different users to enhance collaboration, so OneNote documents (with the .one extension) are often sent from one user to another over the Internet or a network.
“From what we have seen, any files can be easily embedded in OneNote. Together with tricky social engineering techniques, threat actors can successfully take control of a target’s system and steal sensitive data,” Trustwave SpiderLabs researcher Bernard Bautista recently noted.
“Furthermore, OneNote documents do not include ‘Protected View’ and Mark-of-the-Web (MOTW) protection increasing the risk of exposure to potentially malicious files and making it attractive to cybercriminals.”
Trustwave SpiderLabs researchers have documented several phishing and spear-phishing campaigns using trojanized OneNote documents to deliver malware families like Qakbot, XWorm, Icedid, Formbook, and AsyncRAT.
The documents are generally posing as inquiries, statements and invoices, but once opened, they request the user to double-click on a button to view the document. Unfortunately, underneath the button are embedded batch scripts or executables that download and quietly execute the malicious payload in the background.
With Microsoft’s announced enhanced OneNote protection, the efficiency of these campaigns may be considerably hampered, and attackers will once again be forced to find new ways to deliver malware.