Spreading malware can be difficult as more people implement strong security practices, and security software becomes more sophisticated. Because of this, hackers are always looking for new techniques to scam victims.

Microsoft Office files used to be popular vectors for malware but have recently become less effective in part because macro is no longer enabled by default. The latest alternative for hackers is to use Microsoft OneNote files.

So why are Microsoft OneNote files being used to spread malware, and how should you protect yourself?

Why Is OneNote Being Used to Spread Malware?

One Note on dark device

OneNote is a popular note-taking app developed by Microsoft. It is designed to provide an easy way to take quick notes, and it includes support for images, documents and other executable code.

It is also ideal for hackers. Here's why.

  • In 2022, Microsoft disabled macro in Office files. This, along with the fact that most businesses are already trying to protect against Office files, meant that hackers are now looking for other file formats.
  • OneNote is a popular application but more importantly, it is installed by default on all Windows computers. This means that even if a potential victim doesn't actively use OneNote, the file will still run on their computer if they click on it.
  • OneNote is a Microsoft application and a OneNote file therefore appears trustworthy. This is important because the malware is not spread unless people actually click on the file. It's also compatible with other Microsoft Office files and can be embedded within them.
  • The software allows lots of different types of content to be embedded. This lets hackers employ a variety of techniques for initiating malware downloads.
  • OneNote has not previously been used to distribute large amounts of malware. Because of this, most people are not suspicious of such files and businesses are not necessarily equipped to defend against attacks that use them.

Who Is Being Targeted?

Attacks involving OneNote files primarily target businesses. OneNote files are attached to emails and then sent in bulk to employees. The files are often attached to phishing emails, which aim to steal information, but can be attached to any type of email.

While business employees are the most profitable target, private individuals are also potential victims. A successful attack on an individual will be less profitable but may be easier to carry out. Because of this, everyone should watch out for dodgy OneNote attachments.

How Is OneNote Being Used by Scammers?

Hacker on a System

Malicious OneNote files are being distributed in emails that discuss common topics such as invoices and shipping. They also include a seemingly valid reason why the recipient needs to download the file.

Some emails include a malicious OneNote file as an attachment. Other messages direct the user to a malicious website where they are then encouraged to download the OneNote file.

Upon opening it, the victim will be asked to click on some type of graphic. Upon doing so, an embedded file will be executed. The embedded files are typically designed to execute PowerShell commands which download malware from remote servers.

What Malware Is Being Installed?

OneNote files are being used by attackers with a variety of different approaches. Because of this, many different types of malware are involved, including ransomware, Trojans, and information stealers.

Ransomware

Ransomware is designed for extortion purposes. Once installed, all files on a system are encrypted and cannot be accessed without a decryption key which needs to be purchased from the attacker.

Remote Access Trojans

A Remote Access Trojan (RAT) is a piece of malware that allows an attacker to control a device remotely. Once installed, an attacker can issue commands to a machine and install other types of malware.

Info Stealers

An info stealer is a type of Trojan that is used to steal private data. Info stealers are often used to steal login credentials like passwords as well as financial information. Once an info stealer is installed on your computer, a hacker can gain access to your private accounts.

How to Protect Against Malicious OneNote Files

cybersecurity padlocked data

Fortunately, attacks involving malicious OneNote files are not difficult to defend against. They rely on people being careless, and you can therefore protect yourself by taking some basic security precautions.

Don't Download Email Attachments

Malicious OneNote files are only executed if they are downloaded. Email attachments should never be downloaded unless you are sure that you know who the sender is.

Back Up Files

Ransomware is less of a threat if all important files are backed up and the back-up kept in a separate location, i.e. not still plugged into your machine (as the ransomware will encrypt that too). It's worth noting that defending against ransomware in this manner doesn't prevent hackers from accessing data and threatening to release it.

Use Two-Factor Authentication

Remote access Trojans can be used to steal passwords. To defend against this, you should add two-factor authentication to all of your accounts. Two-factor authentication prevents anyone from logging into your accounts unless they also supply a second piece of information such as a code sent to your device. Once activated, your password could be stolen and the thief still won't be able to access your account.

Use Antivirus Software

Many types of ransomware and remote access Trojans will be prevented from running if you have antivirus suite. Antiviruses, however, should not be relied upon as the only line of defense as many malicious OneNote files are specifically designed to get past it.

Businesses Should Provide Employee Training

All businesses should educate their staff about this threat. Employees need to know what phishing emails look like and should not be allowed to download attachments.

OneNote Files Are Ideal for Hackers

OneNote files are ideal for spreading malware. They are trusted files that are able to run on most people's computers. They're not associated with malware either, so many businesses are not equipped to defend against them.

Anyone who executes a malicious OneNote file may have their data encrypted or their personal information stolen. The former requires a ransom payment while the latter can cause account hacks and financial fraud.

Both businesses and private individuals should be aware of this threat and can protect against it by following basic security measures.