Microsoft OneNote attachments are being used to spread malware

Double-clicking the file downloads dangerous trojans

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Hackers have discovered a new way to bypass the macro block inMicrosoftOffice files and still delivermalwareto unsuspecting victims through the company’s suit ofonline collaborationapps.

Security experts atBleepingComputerfound freshly distributed phishing emails equipped with OneNote attachments.

OneNote is a digital notetaking app, which people can use to create a sharable content library. It comes as part of the wider Microsoft Office suite, meaning if people have this installed, they can open OneNote files, too. While OneNote’s files, called NoteBooks, don’t support macros, they do support attachments, and that’s what the crooks are now leveraging.

TechRadar Pro needs you!We want to build a better website for our readers, and we need your help! You can do your bit by filling outour surveyand telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.

D. Athow, Managing Editor

Malicious VBS files

The phishing emails themselves are nothing out of the ordinary - they include fake DHL parcel notifications, fake invoices, fake shipping notifications, ACH remittance forms, and such. Instead of carrying a Word or Excel file attached, they carry a OneNote file which, if opened, seems to be blurred out, with a huge button in the middle saying “Double Click to View File”.

Double-clicking, however, runs the attachment which, in this case, is a malicious VBS file.

This file then initiates communication with the command & control (C2) server and downloads the malware.

BleepingComputerobtained a couple of these emails and determined that multiple remote access trojans and infostealers are being circulated, including the AsyncRAT and XWorm remote access trojans, as well as the Quasar Remote Access trojan.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Microsoft’s campaign against malicious macros has given rise to new, dangerous attacks>Microsoft blocked malicious macros, but hackers have found another way>Check out the best firewalls today

The best way to protect against these attacks is the same as it always was - educate your employees not to download attachments and click on email links from people they don’t know, don’t trust, or whose identity cannot be confirmed. Also, they should be educated not to ignore warning messages prompted in programs such as Word, Excel, or OneNote. Other than that, having a strong antivirus solution, and a firewall, is welcome.

Finally, activating multi-factor authentication (MFA) wherever possible greatly reduces the chances of more serious compromise.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Nokia confirms data breach leaked third-party code, but its data is safe

Rising AI threats are making firms turn back to human intelligence

3 reasons why PIA fell in our best VPN rankings