Application security, Malware, Vulnerability Management

Attackers increasingly use Microsoft’s OneNote to deliver QakBot malware

Microsoft logo

Security researchers are sounding an alarm warning of a growing number of malware campaigns abusing Microsoft’s digital note-taking app OneNote. The uptick in attacks have been reported despite the software giant blocking macros by default in the app last year.

Proofpoint researchers said they began seeing an increase in OneNote documents delivering malware via email in December and January using the “.one” extensions as attachments and URLs. 

Proofpoint reported observing six campaigns delivering the AsyncRAT malware via a OneNote attachment, according to research published on Feb. 1. In January, the number of threat campaigns using OneNote jumped to over 50 that delivered various malware payloads. 

The Proofpoint folks then noted that the cybercrime threat actor TA577 began using OneNote files to deliver the QakBot malware to unsuspecting users at the end of January. TA577 has been tracked by Proofpoint since 2020 as an adversary targeting various geographies and industries with Microsoft attachments.

The Proofpoint researchers said the use of OneNote was “unusual” and believed attackers were experimenting with Microsoft’s digital notebook as they sought different attachment types to bypass threat detection. However, they noted in their conclusion that with “TA577’s adoption of OneNote suggests other more sophisticated actors will begin using this technique soon.”

Days later, a principal researcher at SophosLabs said the adoption of OneNote as a threat vector by the QakBot malware group signals “a much more automated, streamlined fashion” as opposed to the small-scale malware attacks that were initially observed. 

Calling the attack "QakNote," Sophos researcher Andrew Brandt said in a Feb. 6 post that two parallel spam campaigns were observed beginning Jan. 31. The first campaign uses malicious email links to prompt the recipient to download a weaponized “.one” file, while the other uses “message thread injections” as a reply-to-all with a malicious OneNote notebook attached. 

Interestingly, only browsers transmitting a Windows-computer’s User-Agent string in the query received the weaponized OneNote attachment, while Mac/iOS, Linux and Android devices receive a 404 from the server hosting the malicious file. 

In observations by both Proofpoint and Sophos researchers, the OneNote attachments often contain files often hidden behind a graphic made to look like a button that executes the malicious file when double-clicked.

Proofpoint researchers said the attachments were not detected as malicious by multiple anti-virus engines and recommended that organizations educate their personnel about the OneNote abuse.

Proofpoint posted indicators of compromise in its Feb. 1 blog, while IOCs can be found on the SophosLabs Github.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.