Beware: Hackers now use OneNote attachments to spread malware

Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,592
Content source
https://www.bleepingcomputer.com/news/security/beware-hackers-now-use-onenote-attachments-to-spread-malware/
Threat actors now use OneNote attachments in phishing emails that infect victims with remote access malware which can be used to install further malware, steal passwords, or even cryptocurrency wallets.

This comes after attackers have been distributing malware in emails using malicious Word and Excel attachments that launch macros to download and install malware for years.

However, in July, Microsoft finally disabled macros by default in Office documents, making this method unreliable for distributing malware.

Soon after, threat actors began utilizing new file formats, such as ISO images and password-protected ZIP files. These file formats soon became extremely common, aided by a Windows bug allowing ISOs to bypass security warnings and the popular 7-Zip archive utility not propagating mark-of-the-web flags to files extracted from ZIP archives.

However, both 7-Zip and Windows recently fixed these bugs causing Windows to display scary security warnings when a user attempts to open files in downloaded ISO and ZIP files.

Not to be deterred, threat actors quickly switched to using a new file format in their malicious spam (malspam) attachments: Microsoft OneNote attachments.
Click to expand...
Protecting against these threats

Once installed, this type of malware allows threat actors to remotely access a victim’s device to steal files, saved browser passwords, take screenshots, and in some cases, even record video using webcams.

Threat actors also commonly use remote access trojans to steal cryptocurrency wallets from victims' devices, making this a costly infection.

The best way to protect yourself from malicious attachments is to simply not open files from people you do not know. However, if you mistakenly open a file, do not disregard warnings displayed by the operating system or application.

If you see a warning that opening an attachment or link could harm your computer or files, simply do not press OK and close the application.

If you feel it may be a legitimate email, share it with a security or Windows admin to help you verify if the file is safe.
Click to expand...
www.bleepingcomputer.com

Hackers now use Microsoft OneNote attachments to spread malware

Threat actors now use OneNote attachments in phishing emails that infect victims with remote access malware which can be used to install further malware, steal passwords, or even cryptocurrency wallets.
www.bleepingcomputer.com www.bleepingcomputer.com
First noticed by @upnorth :
@NoVirusThanks has a post on it
malwaretips.com

Update - Microsoft OneNote (.One File Extension) Attachment Delivers AsyncRAT

Users reported some malicious Microsoft OneNote documents in the past days that lead to AsyncRAT, a remote administration tool used to control and monitor other computers. While it is common to see Microsoft Word, Excel and PowerPoint maldocs distributed via emails, OneNote maldocs are something...
malwaretips.com malwaretips.com
 
  • Like
  • +Reputation
  • Wow
Reactions: Jonny Quest, brambedkar59, Trident and 10 others
[correlate]

[correlate]

Level 18
Top Poster
Well-known
May 4, 2019
801

How to prevent Microsoft OneNote files from infecting Windows with malware​

The seemingly innocuous Microsoft OneNote file has become a popular file format used by hackers to spread malware and breach corporate networks. Here's how to block malicious OneNote phishing attachments from infecting Windows.
To give a little background on how we got to Microsoft OneNote files becoming the tool of choice for malware-distributing phishing attacks, we first need to explain how we got here.
Threat actors have been abusing macros in Microsoft Word and Excel documents for years to download and install malware on Windows devices.
Click to expand...
www.bleepingcomputer.com

How to prevent Microsoft OneNote files from infecting Windows with malware

The seemingly innocuous Microsoft OneNote file has become a popular file format used by hackers to spread malware and breach corporate networks. Here's how to block malicious OneNote phishing attachments from infecting Windows.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • +Reputation
Reactions: Trident, Nevi, Andy Ful and 3 others
Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,592
Microsoft OneNote will block 120 dangerous file extensions
Microsoft has shared more information on what malicious embedded files OneNote will soon block to defend users against ongoing phishing attacks pushing malware.

The company first revealed that OneNote will get enhanced security in a Microsoft 365 roadmap entry published three weeks ago, on March 10, following recent and ongoing waves of phishing attacks pushing malware.

Threat actors have been using OneNote documents in spear phishing campaigns since mid-December 2022 after Microsoft patched a MoTW bypass zero-day exploited to drop malware via ISO and ZIP files and finally disabled Word and Excel macros by default.

Threat actors create malicious Microsoft OneNote documents by embedding dangerous files and scripts and then hiding them with design elements.

Today, the company shared more details regarding what specific file extensions will be blocked once the new OneNote security improvements roll out.

Microsoft says it will align the files considered dangerous and blocked in OneNote with those blocked by Outlook, Word, Excel, and PowerPoint.

The complete list includes 120 extensions according to this Microsoft 365 support document:

.ade, .adp, .app, .application, .appref-ms, .asp, .aspx, .asx, .bas, .bat, .bgi, .cab, .cer, .chm, .cmd, .cnt, .com, .cpl, .crt, .csh, .der, .diagcab, .exe, .fxp, .gadget, .grp, .hlp, .hpj, .hta, .htc, .inf, .ins, .iso, .isp, .its, .jar, .jnlp, .js, .jse, .ksh, .lnk, .mad, .maf, .mag, .mam, .maq, .mar, .mas, .mat, .mau, .mav, .maw, .mcf, .mda, .mdb, .mde, .mdt, .mdw, .mdz, .msc, .msh, .msh1, .msh2, .mshxml, .msh1xml, .msh2xml, .msi, .msp, .mst, .msu, .ops, .osd, .pcd, .pif, .pl, .plg, .prf, .prg, .printerexport, .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .psd1, .psdm1, .pst, .py, .pyc, .pyo, .pyw, .pyz, .pyzw, .reg, .scf, .scr, .sct, .shb, .shs, .theme, .tmp, .url, .vb, .vbe, .vbp, .vbs, .vhd, .vhdx, .vsmacros, .vsw, .webpnp, .website, .ws, .wsc, .wsf, .wsh, .xbap, .xll, .xnk

While previously, OneNote warned users that opening attachments could harm their data but still allowed them to open the embedded files tagged as dangerous, after the security improvement rolls out, users will no longer have the choice to open files with dangerous extensions.

Users will be shown a warning dialog when a file gets blocked, saying, "Your administrator has blocked your ability to open this file type in OneNote."

Microsoft says the change will begin rolling out in Version 2304 in Current Channel (Preview) to OneNote for Microsoft 365 on Windows devices between late April 2023 and late May 2023.

The security improvement will also be available in retail versions of Office 2021, Office 2019, and Office 2016 (Current Channel) but not in volume-licensed versions of Office, like Office Standard 2019 or Office LTSC Professional Plus 2021.

However, it will not be available in OneNote on the web, OneNote for Windows 10, OneNote on a Mac, or OneNote on Android or iOS devices.
Click to expand...
www.bleepingcomputer.com

Microsoft OneNote will block 120 dangerous file extensions

Microsoft has shared more information on what types of malicious embedded files OneNote will soon block to defend users against ongoing phishing attacks pushing malware.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • +Reputation
  • Applause
Reactions: SeriousHoax, [correlate], upnorth and 5 others
spiritedawaymadmax

spiritedawaymadmax

Level 1
Nov 1, 2022
28
It's great to hear that Microsoft keeps on upping its game and consistently shrinking the vacant corners for malicious play, but still - if people are not extra careful, cybercrime will keep on thriving. Plus, these actors know how to target the most vulnerable demographics - pre-teens with laptops and iPods and the elderly who barely know how trojans work...
 
  • Like
Reactions: Jonny Quest, SeriousHoax, [correlate] and 1 other person
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • Wow
    • +Reputation
Emotet malware now distributed in Microsoft OneNote files to evade defenses
Replies
15
Views
1,227
News Archive
ForgottenSeer 98186
F
silversurfer
    • Like
    • +Reputation
Post-Macro World Sees Rise in Microsoft OneNote Documents Delivering Malware
Replies
1
Views
594
News Archive
Gandalf_The_Grey
Gandalf_The_Grey
vtqhtr413
    • +Reputation
    • Like
Stealthy Malware Spreading Remcos RAT and Formbook in Europe
Replies
0
Views
906
News Archive
vtqhtr413
vtqhtr413

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top