Discovering threat actors accessing your environment is difficult. When they are cleverly disguised in one of your organization's trusted applications, it’s even harder - and your adversaries are counting on organizations not to pick up on the nuances.
Across the industry, security professionals have seen an increase in use of Microsoft OneNote documents, Microsoft’s digital notebook solution, to drop malware into small- and medium-sized enterprises (SMEs) via email attachments and URLs. As the app comes as part of the Microsoft Office productivity suite, threat actors operate under the assumption that most of their targeted victims will have OneNote installed on their endpoints.
With Popularity Comes Risk
OneNote is highly popular among businesses as it provides a simple-to-deploy, open source note-taking application that is supported by a wide range of platforms and devices. For users, it offers an easy-to-use solution for those who need to capture and store ideas, notes, and other information quickly and easily. Unfortunately, it also comes with a host of challenges:
- Trust: A user’s trust is usually a great thing when it comes to an application. But that trust often leads to weak points in security surveillance
- Access Control: OneNote documents have limited access control, which means that if someone gains access to a user’s account they can potentially view, edit, or delete the documents.
- Malware: OneNote has served as part of an infection chain to deliver malware, which can spread quickly and damage the documents or the user’s device.
Susceptibility To Malware
OpenNote is widely known to be a delivery vessel for malicious software. Attackers use OneNote to deliver their malicious payloads by obfuscating the content and exploiting the trusted application status of OneNote. Without proper training, threat actors bypass security controls to deliver malicious payloads though phishing attacks not caught by users. Observed email campaigns using OneNote for malware delivery display some common characteristics. While the message subjects and senders vary, unique messages are crafted to deliver malware, and do not typically utilize thread hijacking. These messages attach OneNote files with seemingly benign themes common to a user such as “invoice”, “shipping details”, or “Christmas Party”. All a threat actor needs to do is to trick users into double-clicking on the embedded file, and they’re in and able to deploy their malicious payload. AsyncRAT, as an example, is one of the final pieces of malware installed by a OneNote attachment attack. Once this happens the Remote Access Trojan access can be sold as an IAM, or used in further attacks.
According to cloud IT security vendor, ZScaler, “Although the "Mark of the Web" is a Windows security feature that protects users from potentially harmful content downloaded from the internet, OneNote does not propagate this feature on its attachments. This allows attackers to embed unsigned executables or macro-enabled documents without triggering Microsoft's recent security restrictions.” Additionally, the human-readable element of OneNote means that code can often be hidden by formatting instructions. Additionally, OneNote documents often contain embedded images, videos, and other media files, which can further hide malicious code.
Limited Focus on Detection
Ransomware actors are more ambitious, more technically astute, and seemingly more ruthless than ever before. We’ve known this for some time － that’s why we’ve focused our efforts on becoming the industry’s leading MDR for ransomware defense. We see the speed at which ransomware attackers evolve their attacks, and the extent they go to to make sure they’re effective.
Cybersecurity investigators believe hackers are using OneNote more often as a result of their extensive research across the community. After experimenting with the effectiveness of different attachment types, they have focused their efforts on OneNote given that detections of its payloads have been scarce.
Detecting malware in OneNote documents should be easy as it’s a well-defined format. The sheer volume of content leads to organizations failing to scan all documents. Exploits in Microsoft OneNote are also not as well-understood as macro-based attacks, resulting in organizations not implementing sufficient security measures to prevent them.
How do I protect my business from OneNote malware?
Despite organizational challenges with detecting malware in OneNote documents, there are many simple steps that can be taken to improve security of the application and its use. Below is a short list of our top recommendations:
1. Install and configure next-gen antivirus (NGAV) software on all of your computers, and regularly update it
A next-gen antivirus program can protect the OneNote app by scanning for malware and other malicious software that may be targeted at the app. It can detect suspicious activity and alert users of potential threats.
2. Run regular vulnerability scans on all of your computers for viruses and malware
Vulnerability scanning can help identify potential security weaknesses, helping assess, and resolve vulnerabilities in the app’s code and infrastructure before they become exploitable by malicious actors.
3. Use strong passwords to protect your accounts and data
Strong passwords are essential for protecting your OneNote accounts and data. They provide an extra layer of security that helps to keep unauthorized users from accessing the app or its contents.
4. Use two-factor authentication for accessing OneNote and other sensitive accounts
We’re firm believers that you should use multi-factor authentication on all your accounts and applications. It is especially important to make sure you enable MFA for OneNote. MFA is the single most effective way to keep unauthorized actors from accessing accounts they shouldn’t.
5. Keep your operating system and other software up-to-date
Regularly updating your Microsoft operating system and application software ensures that any known security vulnerabilities are patched in a timely manner. Threat actors feast off users and organizations that leave vulnerabilities unattended. The most current vulnerabilities relating to OneNote can be found in the Microsoft Security Center, updated on Microsoft Patch Tuesday, the 2nd Tuesday or each month.
6. Encrypt OneNote sections
On OneNote for iPad or iPhone, you can help keep private notes and information safe from prying eyes by protecting any of the sections in your OneNote notebooks with a password. When a section is password-protected, all of its pages are locked using 128-bit AES encryption. This keeps your important information safer from prying eyes.
7. Educate your employees on cyber security and data protection best practices
One of the most important steps you can take to protect your business from an attack on your OneNote users is to educate your employees not to download attachments and click on email links from people they don’t know or aren’t part of your organization. They should be trained not to ignore warning messages prompted in OneNote or their email application.
8. Get a good detection and response service
While all other protections go a long way towards protecting your business, a competent service that can accurately detect, contain, and respond to threats is an absolute must. It is your primary line of defense to keep malware and ransomware out of your environment.
How can ActZero protect your business from OneNote malware?
Whether it’s OneNote attacks or another emerging threat, our ActZero team provides continuous protection to improve your cyber risk. Detecting malicious OneNote document execution is relatively easy once you know exactly what you’re looking for.
Our ActZero MDR service has recently blocked several OneNote attacks for customers. In each case, ‘.one’ extensions had been found in email attachments and URLs attempting to launch executables and scripts. Without detection, these OneNote documents may have been used to deliver malware strains like Qakbot, AsyncRAT, QuasarRAT, and a number of others.
We will continue to monitor our customer environments for attacks on OneNote. We strongly encourage our customers, and businesses in general to inform their end users about this technique, and train them on how to detect and report suspicious emails with this extension.