Cybersecurity researchers note that it's unusual for OneNote documents to be abused in this way and there's one simple reason why attackers are experimenting with them -- because they can more easily bypass threat detection than other attachments. And it appears to be working.
"Based on data in open-source malware repositories, initially observed attachments were not detected as malicious by multiple anti-virus engines, thus it is likely initial campaigns had a high efficacy rate if the email was not blocked," Proofpoint told ZDNET.
"Since Microsoft began blocking macros by default in 2022, threat actors have experimented with many new tactics, techniques, and procedures (TTPs), including use of previously infrequently observed filetypes such as virtual hard disk (VHD), compiled HTML (CHM), and now OneNote (.one)."
The phishing emails, first sent during December 2022, with the number rising significantly in January 2023, are attempting to deliver one of several different malware payloads, including AsyncRAT, Redline, AgentTesla, and Doubleback, all of which are designed to steal sensitive information from victims, including usernames and passwords.
Proofpoint researchers also note that a cyber-criminal group they track as TA577 has also started to leverage OneNote in campaigns to deliver Qbot. Rather than stealing information to use themselves, TA577 acts as an initial access broker, selling stolen usernames and passwords onto other cyber criminals, including ransomware gangs.
Over 60 of these campaigns have been detected so far and they all share similar characteristics, with emails and file attachments linked to themes including invoices, remittances, shipping, and seasonal themes, such as information on a Christmas bonus, among others.
For example, a phishing message sent out to targets in the manufacturing and industrial sectors included attachment names related to machine parts and specifications, indicating a high level of research was put into crafting the lure.
Other OneNote campaigns are slightly more generic and sent out to thousands of potential victims at once. One of these campaigns targeted the education sector with false invoices, while another was more widely spread, claiming to offer a Christmas gift or bonus to thousands of potential victims.
In each case, the phishing attack relies on the victim opening the email, opening the OneNote attachment, and clicking on malicious links. While OneNote does offer a warning message about suspicious links, users who've been sent a specifically crafted email to appeal directly to them -- or think they might be getting a bonus -- could attempt to bypass this warning.
Researchers warn that it's likely these campaigns have a high rate of success if the emails aren't blocked -- and that more cyber-threat groups are likely to adopt this technique to successfully deliver phishing and malware campaigns.
"Proofpoint has increasingly observed OneNote attachments being used to deliver malware. Based on our research, we believe multiple threat actors are using OneNote attachments in an attempt to bypass threat detections," said researchers, who warn that this is "concerning" because, as demonstrated by TA577, this tactic can become an initial entry point for distributing ransomware, which could cripple a whole organization and network.
However, while phishing attacks are an effective tool for cyber criminals, falling victim is not inevitable. Proofpoint suggests that organizations should employ a robust spam filter that prevents these messages from arriving in people's inboxes, and that organizations should educate end users about this technique, and encourage users to report suspicious emails and attachments.
"This is a phishing technique that convinces a victim to open a document with an embedded malicious attachment and then bypass a security prompt to run the attachment. We encourage customers to practice good computing habits online, including exercising caution when clicking on links to webpages or opening unknown files," a Microsoft spokesperson told ZDNET.