Security
researchers
are
sounding
an
alarm
warning
of
a
growing
number
of
malware
campaigns
abusing
Microsoft’s
digital
note-taking
app
OneNote.
The
uptick
in
attacks
have
been
reported
despite
the
software
giant
blocking
macros
by
default
in
the
app
last
year.
Proofpoint
researchers
said
they
began
seeing
an
increase
in
OneNote
documents
delivering
malware
via
email
in
December
and
January
using
the
“.one”
extensions
as
attachments
and
URLs.
Proofpoint
reported
observing
six
campaigns
delivering
the
AsyncRAT
malware
via
a
OneNote
attachment,
according
to
research
published
on
Feb.
1.
In
January,
the
number
of
threat
campaigns
using
OneNote
jumped
to
over
50
that
delivered
various
malware
payloads.
The
Proofpoint
folks
then
noted
that
the
cybercrime
threat
actor
TA577
began
using
OneNote
files
to
deliver
the
QakBot
malware
to
unsuspecting
users
at
the
end
of
January. TA577
has
been
tracked
by
Proofpoint
since
2020
as
an
adversary
targeting
various
geographies
and
industries
with
Microsoft
attachments.
The
Proofpoint
researchers
said
the
use
of
OneNote
was
“unusual”
and
believed
attackers
were
experimenting
with
Microsoft’s
digital
notebook
as
they
sought
different
attachment
types
to
bypass
threat
detection.
However,
they
noted
in
their
conclusion
that
with
“TA577’s
adoption
of
OneNote
suggests
other
more
sophisticated
actors
will
begin
using
this
technique
soon.”
Days
later,
a
principal
researcher
at
SophosLabs
said
the
adoption
of
OneNote
as
a
threat
vector
by
the
QakBot
malware
group
signals
“a
much
more
automated,
streamlined
fashion”
as
opposed
to
the
small-scale
malware
attacks
that
were
initially
observed.
Calling
the
attack
“QakNote,”
Sophos
researcher
Andrew
Brandt
said
in
a
Feb.
6
post
that
two
parallel
spam
campaigns
were
observed
beginning
Jan.
31.
The
first
campaign
uses
malicious
email
links
to
prompt
the
recipient
to
download
a
weaponized
“.one”
file,
while
the
other
uses
“message
thread
injections”
as
a
reply-to-all
with
a
malicious
OneNote
notebook
attached.
Interestingly,
only
browsers
transmitting
a
Windows-computer’s
User-Agent
string
in
the
query
received
the
weaponized
OneNote
attachment,
while
Mac/iOS,
Linux
and
Android
devices
receive
a
404
from
the
server
hosting
the
malicious
file.
In
observations
by
both
Proofpoint
and
Sophos
researchers,
the
OneNote
attachments
often
contain
files
often
hidden
behind
a
graphic
made
to
look
like
a
button
that
executes
the
malicious
file
when
double-clicked.
Proofpoint
researchers
said
the
attachments
were
not
detected
as
malicious
by
multiple
anti-virus
engines
and
recommended
that
organizations
educate
their
personnel
about
the
OneNote
abuse.
Proofpoint
posted
indicators
of
compromise
in
its
Feb.
1
blog,
while
IOCs
can
be
found
on
the
SophosLabs
Github.
About Author
