Attackers now use OneNote attachments in phishing emails, infecting victims with remote access malware that can be used to install more malware, steal passwords and even cryptocurrency wallets.

This comes after years of attackers distributing malware in emails, using malicious Word and Excel attachments that run macros to download and install the malware. However, in July Microsoft finally disabled macros in Office documents by default, making this method unreliable for spreading malware.

Attackers soon began using new file formats, such as ISO images and password-protected ZIP files. These file formats soon became immensely popular with the help of a Windows bug that allowed ISOs to bypass security warnings, and the popular archiving program 7-Zip, which did not expand website tags to files extracted from ZIP archives.

However, both 7-Zip and Windows recently fixed these bugs, causing Windows to display dreaded security warnings when the user tried to open files from downloaded ISO and ZIP files. To avoid being deterred, attackers quickly switched to using a new file format in malspam attachments: Microsoft OneNote attachment.

Microsoft OneNote is a free downloadable desktop digital notebook available in Microsoft Office 2019 and Microsoft 365. Since Microsoft OneNote is installed by default on all Microsoft Office/365 installations, it can still be opened even if a Windows user is not using the program. file format.

Since mid-December, cybersecurity researchers have warned that attackers have begun distributing malicious spam emails with OneNote attachments. From examples found by BleepingComputer, these spam messages post DHL shipping notices, invoices, ACH money transfer forms, machine templates and shipping documents.

Unlike Word and Excel, OneNote does not support macros, which is a way attackers run scripts to install malware. Instead, OneNote allows users to add attachments to a notebook that launches when double-clicked.

Attackers abuse this feature by adding malicious VBS attachments that automatically run a double-click script to download and install malware from a remote site. However, attachments do appear as a file icon in OneNote, so attackers overlay a large “Double-click to view file” panel to hide pasted VBS attachments.