Security News > 2023 > February > Post-Macro World Sees Rise in Microsoft OneNote Documents Delivering Malware

In a continuing sign that threat actors are adapting well to a post-macro world, it has emerged that the use of Microsoft OneNote documents to deliver malware via phishing attacks is on the rise.

Enterprise firm Proofpoint said it detected over 50 campaigns leveraging OneNote attachments in the month of January 2023 alone.

In some instances, the email phishing lures contain a OneNote file, which, in turn, embeds an HTA file that invokes a PowerShell script to retrieve a malicious binary from a remote server.

The infection chains are made possible owing to a OneNote feature that allows for the execution of select file types directly from within the note-taking application in what's a case of a "Payload smuggling" attack.

As remedial actions, Finnish cybersecurity firm WithSecure is recommending users block OneNote mail attachments and keep close tabs on the operations of the OneNote.

The shift to OneNote is seen as a response to Microsoft's decision to disallow macros by default in Microsoft Office applications downloaded from the internet last year, prompting threat actors to experiment with uncommon file types such as ISO, VHD, SVG, CHM, RAR, HTML, and LNK. The aim behind blocking macros is two-fold: To not only reduce the attack surface but also increase the effort required to pull off an attack, even as email continues to be the top delivery vector for malware.

News URL

https://thehackernews.com/2023/02/post-macro-world-sees-rise-in-microsoft.html