Malware News Beware: Hackers now use OneNote attachments to spread malware


Level 69
Thread author
Honorary Member
Top Poster
Content Creator
Apr 24, 2016
Threat actors now use OneNote attachments in phishing emails that infect victims with remote access malware which can be used to install further malware, steal passwords, or even cryptocurrency wallets.

This comes after attackers have been distributing malware in emails using malicious Word and Excel attachments that launch macros to download and install malware for years.

However, in July, Microsoft finally disabled macros by default in Office documents, making this method unreliable for distributing malware.

Soon after, threat actors began utilizing new file formats, such as ISO images and password-protected ZIP files. These file formats soon became extremely common, aided by a Windows bug allowing ISOs to bypass security warnings and the popular 7-Zip archive utility not propagating mark-of-the-web flags to files extracted from ZIP archives.

However, both 7-Zip and Windows recently fixed these bugs causing Windows to display scary security warnings when a user attempts to open files in downloaded ISO and ZIP files.

Not to be deterred, threat actors quickly switched to using a new file format in their malicious spam (malspam) attachments: Microsoft OneNote attachments.
Protecting against these threats

Once installed, this type of malware allows threat actors to remotely access a victim’s device to steal files, saved browser passwords, take screenshots, and in some cases, even record video using webcams.

Threat actors also commonly use remote access trojans to steal cryptocurrency wallets from victims' devices, making this a costly infection.

The best way to protect yourself from malicious attachments is to simply not open files from people you do not know. However, if you mistakenly open a file, do not disregard warnings displayed by the operating system or application.

If you see a warning that opening an attachment or link could harm your computer or files, simply do not press OK and close the application.

If you feel it may be a legitimate email, share it with a security or Windows admin to help you verify if the file is safe.
First noticed by @upnorth :
@NoVirusThanks has a post on it


Level 44
Top Poster
Mar 16, 2019
I saw this more than a week ago on Twitter. I was thinking to myself, why now? As I started to use OneNote since last month after having multiple syncing issues with Sticky Notes (which Microsoft has already abandoned).
Have to be careful with opening this kind of attachment.


Level 16
Top Poster
May 4, 2019

How to prevent Microsoft OneNote files from infecting Windows with malware​

The seemingly innocuous Microsoft OneNote file has become a popular file format used by hackers to spread malware and breach corporate networks. Here's how to block malicious OneNote phishing attachments from infecting Windows.
To give a little background on how we got to Microsoft OneNote files becoming the tool of choice for malware-distributing phishing attacks, we first need to explain how we got here.
Threat actors have been abusing macros in Microsoft Word and Excel documents for years to download and install malware on Windows devices.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.