As cybercriminals adapt to Microsoft’s 2022 decision to disable macros by default in Office documents, threat actors have pivoted to exploiting OneNote as a primary attack vector for credential theft and malware distribution.
Cybercriminals now embed malicious files or links within OneNote documents disguised as invoices, property notices, or business communications, leveraging the platform’s weaker access controls compared to traditional Office applications.
Attackers exploit OneNote’s reduced security measures to distribute malware through seemingly legitimate business documents and communications.
These sophisticated attacks involve creating fake OneNote login interfaces that precisely mimic legitimate Microsoft login pages to harvest Office 365 credentials. Attackers improve their success rates by preloading victim email addresses into spoofed login panels, adding credibility to the phishing attempt.
The embedded executables or HTA files within OneNote documents trigger malware downloads upon user interaction, often hidden behind inconspicuous interface elements.
Threat actors employ various social engineering tactics to maximize victim engagement. Attack emails mimic legitimate business communications, utilizing lures with urgent invoice notifications, property deal offers, or company notices.
Visual elements such as blurred reports and prominent “Click Here to View” buttons encourage interaction, as attackers exploit organizational trust in Microsoft branding to bypass initial suspicion.
The malware payload spectrum delivered through OneNote campaigns includes QakBot, which provides remote control capabilities for further attacks, AsyncRAT and Remcos RAT for persistent remote access and data exfiltration, and ModiLoader to bypass antivirus scanning. These malware strains utilize batch scripts that encode download URLs with hex codes to evade detection by security systems. The unsigned executables within OneNote documents do not trigger security warnings, further obscuring malicious activity from user awareness.
Infostealers systematically siphon stored credentials and sensitive information, while secondary deployments may include ransomware or cryptominers.
Successful credential theft grants attackers thorough access to Office365 and Outlook mailboxes, enabling business email compromise attacks and organizational mapping through hijacked login pages.
Compromised accounts face significant risks including data loss, financial theft, and unauthorized access to company resources. Persistent access allows staged deployment of additional threats across the compromised environment.
The prevalence of OneNote-based malware campaigns has significantly increased since Microsoft’s macro restrictions implementation.
Multiple threat actors have identified OneNote as an effective alternative attack vector, capitalizing on reduced security scrutiny and user familiarity with the platform to execute credential harvesting operations.
