Microsoft OneNote Used To Sidestep Phishing Detection

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
A recent phishing campaign used OneNote to distribute the Agent Tesla keylogger.
A phishing campaign was recently discovered leveraging OneNote, Microsoft’s digital notebook that automatically saves and syncs notes, to bypass detection tools and download malware onto victims’ systems.
The attacker was utilizing OneNote as a way to easily experiment with various lures that either delivered the credential-stealing Agent Tesla keylogger or linked to a phishing page – or both. The attack first started with an email to victims that contained a link to the OneNote document.
“Thanks to the ease of use and accessibility of OneNote, the threat actor was able to update a ‘phishing notebook’ multiple times a day, experiment with various intrusion methods, and improve the odds to successfully evade email security controls,” said researchers with Cofense in a Tuesday analysis. “Numerous Agent Tesla Keylogger payloads as well as links to different credential phishing websites were included in the campaign.”
The threat actor first sent an email to companies purporting to be a marketing manager sending an order invoice (Cofense did not list the scope of targets or how effective the campaign has been thus far). The link to the order request invoice was actually a tiny[.]cc link, which eventually brought victims to a OneNote document. Over the span of two weeks, researchers said that threat actors swapped out the layout of this OneNote page, cycling between four different templates to deliver a credential phishing portal and unique malware samples.

Read the rest here:

Warning:
Beyond OneNote being hosted on OneDrive, cybercriminals can – and have been found to – leverage a wide array of trusted cloud hosting sources for credential phishing, including documents hosted on Microsoft Sway, Microsoft SharePoint, Google Docs or even Zoho Docs (offered up by CRM software and free mail provider Zoho).
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top