Microsoft’s OneNote, a note-taking app that’s part of the Office 365 productivity suite, is garnering more and more attention, for all the wrong reasons.
This follows another report from cybersecurity researchers describing how more and more threat actors are starting to use the application to deliver malware to unsuspecting victims.
This time, Zscaler researchers released a report (opens in new tab) describes OneNote as a “growing threat” for the spread of malware.
Fake invoices and orders
The delivery method is similar to that of Office files with macros. The attackers would generate a OneNote file called a NoteBook and design it to look like an important document, such as an invoice or something similar. In the file, they would place a malicious attachment capable of downloading and executing malware from a remote server. They then blurred out the contents of the file and overlaid it with a button that read “Click here to view” or a similar call-to-action.
Clicking the button activates the add-on and runs the malware.
The file will then be distributed in the usual way – via email. Hundreds of thousands of phishing emails are sent out daily, targeting corporate endpoints, PCs and other devices containing sensitive customer and personal data.
Last summer, Microsoft finally disabled Office programs from running macros in files downloaded from the Internet. In doing so, the company has effectively ended one of the most popular attack vectors among the cybercriminal community. Since then, hackers have been hard at work looking for alternative ways to deliver malware. Two methods stood out: providing an ISO file (a type of archive file that allows hackers to bypass email and anti-virus protection) and providing Notebook files.
To protect against these kinds of attacks, cybersecurity researchers usually recommend common sense: don’t download email attachments or click on links in emails whose content, sender’s address, or subject line are even remotely suspicious sound.