Microsoft OneNote is a free digital notebook application that is included in the Microsoft Office suite. Threat actors are now using OneNote attachments to distribute malware. Users need to be aware of the threat and how it’s orchestrated to prevent threat actors from installing malware and gaining access to files, passwords, and even recording video using webcams. We recommend that you refrain from opening attachments from individuals you do not know.
How it Works
Attachments come through email as .ONE files and are often sent as zip files or through links, sometimes even directly attached to the email. In November 2021 and February 2022, Microsoft announced that by default it would block Excel 4 and VBA macros in files that were downloaded from the Internet. Hackers have moved away from malware in Word and Excel documents due to these changes. .ONE variations include: .ONEPKG, .ONEBIN, .ONECACHE files and should be avoided if you do not know exactly where these are from. We would suggest not opening any .ONE files and asking for senders to send the information in a different format.
94% of the malware is delivered by email. -Verizon
The OneNote phishing emails often include fake invoices, delivery notices or notifications appearing from legitimate companies, service providers, institutions or authorities. Such emails have blurred-out images with text stating ‘Double Click to View’ or 'Click to View Document.' Once a file is downloaded it runs a malicious script that initiates communication with a remote server to install malware.
It is crucial that users take precaution and:
If your staff have not received any formal cybersecurity training, or you are concerned about your security posture, please reach out to us.