I love OneNote – it is my go to, cross platform/cross device app (it even works on my watch!) so I have been watching the increasing threat actor activity using OneNote attachments with interest, as we all use OneNote her at Smart Thinking and Octagon and I have encouraged many clients over the years to use OneNote. (The team have instigated some specific monitoring and alerts for OneNote attachments on our systems and just like the article below we block the .one extension at our mail gateway.)
The increase in use of Microsoft OneNote as an attack vector was partly caused by Microsoft tightening the security on macros in other apps in its Office Suite:
Microsoft Office Macros – The Good, The Bad and the Ugly – CyberAwake
So the threat actors turned to another way of sneaking the malware past your protection by creating intricate protected OneNote documents that contain obfuscated embedded files that do the damage.
BleepingComputer has an excellent article describing the attack and mitigation you should read. If the solution is beyond you, then get some help.
Why should you bother to read this article?
To explain why you should take notice of this very real risk to your organisation, let me quote from Lawrence Abrams’ excellent article:
Sadly, you just need one user to accidentally allow a malicious file to run for an entire corporate network to be compromised in a full blown ransomware attack.
Lawrence Abrams, Bleeping Computer
Well that will not happen to us – we always take care when we open any email.
But do you.
Here is another article I quoted from last week – academic research that shows threat actors target their phishing attacks to arrive when your team are in a rush – Friday afternoons, first thing Monday, before lunch…
Now you know when the threat actors will be sending the malicious OneNote files to you, do something about it.
Did I hear you say “we do not use OneNote”
Well that is one of the cleaver things about this particular attack vector. Not many people are familiar with the .one extension and the software needed to run the malicious attachment, OneNote ,comes preinstalled with Windows and Office 365. So even if you do not use it OneNote is there waiting!
Clive Catton MSc (Cyber Security) – by-line and other articles
Further Reading
Photo by Miguel Á. Padriñán