Be cautious when you receive a message with a OneNote file attached. In some cases they have been misused to spread malware. It’s another way for criminals to access our data or finances. Let’s take a look at how it works and how to prevent the threat.

Cybersecurity firms are registering an increased number of phishing campaigns that use OneNote to spread malware.

OneNote: This is essentially a digital notebook for taking notes. The tool is part of the Microsoft 365 package. It allows, among other things, entire documents to be inserted as attachments, making it vulnerable to abuse.

How does it work?

  • The user receives an email with an attachment in the form of a Microsoft OneNote file. The file has a .one extension and can look like an order confirmation, invoice, tax documents, pickup documents, etc.
  • The text of the e-mail invites the user to open the file and check something in it or complete it. For example add an address, so that the goods can be shipped. Of course, according to the sender, the matter is “urgent”.
  • When the victim opens the attachment, they see a document with blurred text. This is overlaid with the words “Double Click To View File”.
  • However, the file hides a number of attachments under the label, so wherever you click on the label, you are actually clicking on the malicious file to open it.
  • A warning window will then appear on the screen warning you that the file type may be dangerous, but truth be told, not everyone reads it, let alone obeys it. Simply confirm that you really want to open the file, and this will trigger the installation of the malicious program from the remote server on your computer.
  • The goal of such an action may be to steal sensitive information and passwords, but the programs can also take screenshotsor, in some cases, even record videos via webcam to spy on the computer owner. Owners of crypto-wallets are also at risk, as they can be stolen in this way.

Did you know? So far, the most common malicious programs spread this way are AsyncRAT, Quasar RAT, Redline and Xworm.

What to do to defend yourself

Don’t click if you don’t know the sender or aren’t sure what’s going on. Also, don’t be shy about contacting your company IT person if in doubt.

It is also possible to disable the downloading of .one files in the email application. Another available measure is to restrict opening any files from OneNote or block selected extensions on embedded files. This setting can be done in the Local Group Policy Editor.

Why OneNote

The increase in campaigns using OneNote is probably a result of Microsoft disabling the use of macros in the basic settings of Word and Excel last July. Until then, this was a pretty common way for hackers to get to their victims. And as you can see, they immediately found a new way, unfortunately.

OneNote isn’t the only one, however. In addition to it, other file types are more often at risk these days:

  • ISO disk image
  • password-protected ZIP files

Their use is likely to drop a bit after Microsoft patched a hole that allowed these file types to bypass security warnings. While users often ignore them, it still deters a certain proportion from clicking through, and the effectiveness of such fraudulent campaigns is less.

And how do you have your company’s cybersecurity setup? If you’re not sure, we’ll do an audit and help you improve your defenses against cyberattacks. Let us know.