• Hackers now use Microsoft OneNote attachments to spread malware

    Home » Forums » Cyber Security Information and Advisories » Code Red – Security/Privacy advisories » Hackers now use Microsoft OneNote attachments to spread malware



    Threat actors now use OneNote attachments in phishing emails that infect victims with remote access malware which can be used to install further malware, steal passwords, or even cryptocurrency wallets.

    This comes after attackers have been distributing malware in emails using malicious Word and Excel attachments that launch macros to download and install malware for years.

    However, in July, Microsoft finally disabled macros by default in Office documents, making this method unreliable for distributing malware…

    Not to be deterred, threat actors quickly switched to using a new file format in their malicious spam (malspam) attachments: Microsoft OneNote attachments…

    From samples found by BleepingComputer, these malspam emails pretend to be DHL shipping notifications, invoices, ACH remittance forms, mechanical drawings, and shipping documents…

    Unlike Word and Excel, OneNote does not support macros, which is how threat actors previously launched scripts to install malware.

    Instead, OneNote allows users to insert attachments into a NoteBook that, when double-clicked, will launch the attachment.

    Threat actors are abusing this feature by attaching malicious VBS attachments that automatically launch the script when double-clicked to download malware from a remote site and install it…

    3 users thanked author for this post.
    Viewing 1 reply thread
    • #2528147

      Thankfully, when launching OneNote attachments, the program warns you that doing so can harm your computer and data.

      If you see a warning that opening an attachment or link could harm your computer or files, simply do not press OK and close the application.

      Windows 11 Pro version 22H2 build 22621.2359 + Microsoft 365 + Edge

    • #2528191

      Hey Y’all,

      Another way to block this is to disable the Windows Script Host. This will prevent all VBS (Visual Basic Scripts) files from executing.

      You can do this easily using my Computer Mentor’s Standard Window 10 Settings PowerShell program. The program allow you to change the settings for a lot of Windows settings and will save those settings so they can be easily restored if a Windows Update clobbers them, which is all to often.

      You can find the program CMsStdSettingsForm.zip on my OneDrive download page here.

      Be sure to read the Comment based help.


      May the Forces of good computing be with you!


      PowerShell & VBA Rule!
      Computer Specs

      2 users thanked author for this post.
    Viewing 1 reply thread
    Reply To: Hackers now use Microsoft OneNote attachments to spread malware

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: