Microsoft OneNote, the note-taking app that is part of the Office 365 office suite, is getting more and more attention for all the wrong reasons.
This follows another report by cybersecurity researchers detailing how more and more cybercriminals are starting to use the app to deliver malware to unsuspecting victims.
This time published by scientists from the company Zscaler report (opens in a new tab) describing OneNote as a “growing threat” to malware distribution.
False invoices and orders
The delivery method is similar to the macro-enabled Office file delivery method. The attackers generated a OneNote file, called a notebook, designing it to look like an important document, such as an invoice or something similar. Inside the file, they placed a malicious attachment capable of downloading and running a piece of malware from a third-party server. They then obfuscate the content of the file and overlay it with a button that says “Click here to view” or a similar CTA.
Clicking the button activates the add-on and runs the malware.
The file would then be distributed as usual – via email. Hundreds of thousands of phishing emails are sent daily, targeting corporate endpoints, personal computers, and other devices that hold sensitive customer data and personal information.
Last summer, Microsoft finally disabled Office programs from running macros in files downloaded from the Internet. In this way, the company successfully eliminated one of the most popular attack vectors among the cybercrime community. Since then, hackers have been hard at work looking for alternative ways to deliver malware. Two methods began to stand out – delivering an ISO file (a type of archive file that allows hackers to bypass email and anti-virus protections) and delivering NoteBook files.
To protect against these types of attacks, cybersecurity analysts usually advise common sense – don’t download email attachments or click on links in emails whose content, sender address, or subject sound even slightly suspicious.