BleepingComputer reports that Microsoft OneNote attachments are being leveraged in phishing emails aimed at deploying remote access trojans for secondary malware deployment, as well as password and cryptocurrency theft.
Threat actors behind the scheme have been sending emails purporting to be DHL shipping notifications, ACH remittance forms, invoices, shipping documents, and mechanical drawings.
With OneNote not supporting macros, attackers have been exploiting the tool to facilitate the inclusion of malicious VBS attachments, according to BleepingComputer. While OneNote warns users that opening attachments may harm their computer and data, the advice is commonly ignored, and clicking the "OK" button would trigger the execution of a VBS script that enables malware download and execution.
BleepingComputer has observed that malspam emails sent using the attack technique result in the installation of RATs. Both the AsyncRAT and XWorm RATs were observed by cybersecurity researcher James to have been installed by the OneNote attachments he examined.