• In late February 2023, threat actors rode a wave of initial access using Microsoft OneNote files. In this case, we observed a threat actor deliver IcedID using this method.
• After loading IcedID and establishing persistence, there was no further actions, other than beaconing for over 30 days.
• The threat actor used Cobalt Strike and AnyDesk to target a file server and a backup server.
• The threat actor used FileZilla to exfiltrate data from the network before deploying Nokoyawa ransomware.

A large-scale "QakNote" attack deploys malicious .one files as a novel infection vector

• Emotet resumed spamming operations on March 7, 2023, after a months-long hiatus.
• Initially leveraging heavily padded Microsoft Word documents to attempt to evade sandbox analysis and endpoint protection, the botnets switched to distributing malicious OneNote documents on March 16.
• Since returning, Emotet has leveraged several distinct infection chains, indicating that they are modifying their approach based on their perceived success in infecting new systems.
• The initial emails delivered to victims are consistent with what has been observed from Emotet over the past several years.

Threat actors are taking advantage of Microsoft OneNote's ability to embed files and use social engineering techniques, such as phishing emails and lures inside the OneNote document, to get unsuspecting users to download and open malicious files.

In recent weeks OneNote has gotten a lot of media attention as threat actors are abusing the embedded files feature in OneNote in their phishing campaigns.
I first observed this OneNote abuse in the media via Didier’s post. This was later also mentioned in Xavier’s ISC diary and on the podcast. Later, in the beginning of February, the hacker news covered this as well.

During the past 4 months Microsoft Onenote file format has been (ab)used as Malware carrier by different criminal groups. While the main infection vector is still on eMail side - so nothing really relevant to write on - the used techniques, the templates and the implemented code to inoculate Malware changed a lot. So it…

OneNote is a software part of the Office suite, commonly used within most organisations for note-keeping, task management and more. In the last year, OneNote gained more attention from a security perspective, mostly thanks to the research paper published by Emeric Nasi.

Key Findings:

• The use of Microsoft OneNote documents to deliver malware via email is increasing.
• Multiple cybercriminal threat actors are using OneNote documents to deliver malware.
• While some campaigns are targeted at specific industries, most are broadly targeted and include thousands of messages.
• In order to detonate the payload, an end-user must interact with the OneNote document.
• Campaigns have impacted organizations globally, including North America and Europe.
• TA577 returned from a month-long hiatus in activity and began using OneNote to deliver Qbot at the end of January 2023.

Cyble Research & Intelligence Labs analyzes new strategies deployed by Qakbot to infect users via Microsoft OneNote.