Microsoft OneNote malware mitigation | Smart Thinking Solutions

I love OneNote – it is my go to, cross platform/cross device app (it even works on my watch!) so I have been watching the increasing threat actor activity using OneNote attachments with interest, as we all use OneNote her at Smart Thinking and Octagon and I have encouraged many clients over the years to use OneNote. (The team have instigated some specific monitoring and alerts for OneNote attachments on our systems and just like the article below we block the .one extension at our mail gateway.)

The increase in use of Microsoft OneNote as an attack vector was partly caused by Microsoft tightening the security on macros in other apps in its Office Suite:

Microsoft Office Macros – The Good, The Bad and the Ugly – CyberAwake

So the threat actors turned to another way of sneaking the malware past your protection by creating intricate protected OneNote documents that contain obfuscated embedded files that do the damage.

BleepingComputer has an excellent article describing the attack and mitigation you should read. If the solution is beyond you, then get some help.

Why should you bother to read this article?

To explain why you should take notice of this very real risk to your organisation, let me quote from Lawrence Abrams’ excellent article:

Sadly, you just need one user to accidentally allow a malicious file to run for an entire corporate network to be compromised in a full blown ransomware attack.
Lawrence Abrams, Bleeping Computer

Well that will not happen to us – we always take care when we open any email.

But do you.

Here is another article I quoted from last week – academic research that shows threat actors target their phishing attacks to arrive when your team are in a rush – Friday afternoons, first thing Monday, before lunch…

Exploitation and how to avoid it…

Now you know when the threat actors will be sending the malicious OneNote files to you, do something about it.

Did I hear you say “we do not use OneNote”

Well that is one of the cleaver things about this particular attack vector. Not many people are familiar with the .one extension and the software needed to run the malicious attachment, OneNote ,comes preinstalled with Windows and Office 365. So even if you do not use it OneNote is there waiting!

Training can help.

Do you want to know more?

Clive Catton MSc (Cyber Security) – by-line and other articles

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Why should you bother to read this article?

Did I hear you say “we do not use OneNote”

Further Reading