Key Findings:
- The use of Microsoft OneNote documents to deliver malware via email is increasing.
- Multiple cybercriminal threat actors are using OneNote documents to deliver malware.
- While some campaigns are targeted at specific industries, most are broadly targeted and include thousands of messages.
- In order to detonate the payload, an end-user must interact with the OneNote document.
- Campaigns have impacted organizations globally, including North America and Europe.
- TA577 returned from a month-long hiatus in activity and began using OneNote to deliver Qbot at the end of January 2023.
2635 links