Security News > 2020 > March > Microsoft OneNote Used To Sidestep Phishing Detection
A phishing campaign was recently discovered leveraging OneNote, Microsoft's digital notebook that automatically saves and syncs notes, to bypass detection tools and download malware onto victims' systems.
The attacker was utilizing OneNote as a way to easily experiment with various lures that either delivered the credential-stealing Agent Tesla keylogger or linked to a phishing page - or both.
Over the span of two weeks, researchers said that threat actors swapped out the layout of this OneNote page, cycling between four different templates to deliver a credential phishing portal and unique malware samples.
The use of OneNote also allowed threat actors to slip their phishing attack against traditional defenses set up in environments protected by Microsoft Exchange Online Protection and FireEye enterprise gateways.
Beyond OneNote being hosted on OneDrive, cybercriminals can - and have been found to - leverage a wide array of trusted cloud hosting sources for credential phishing, including documents hosted on Microsoft Sway, Microsoft SharePoint, Google Docs or even Zoho Docs.
News URL
https://threatpost.com/microsoft-onenote-sidestep-phishing-detection/153436/
Related news
- Microsoft Sway abused in massive QR code phishing campaign (source)
- New QR Code Phishing Campaign Exploits Microsoft Sway to Steal Credentials (source)
- Threat Actors Exploit Microsoft Sway to Host QR Code Phishing Campaigns (source)
- DOJ, Microsoft seize 107 domains used in Russia's Star Blizzard phishing attacks (source)