Skip to main content

Malicious OneNote

Anatomy of a Malicious Email Attachment

With Microsoft’s recent changes to macros within the Office and M365 suite, Threat Actors have changed their TTPs to utilize the OneNote (.one) file type for Malicious Code Delivery

TL;DR (.one) files are a binary blob capable of embedding any file type. Threat actors are utilizing the prolific nature of OneNote to execute malicious code on endpoints. Block (.one) files from incoming email and dissociate commonly abused file extensions.

The Problem

Microsoft recently modified the way legacy Office applications and M365 applications handle macros within documents. With the restrictions on macros tightening, threat actors have been forced to find new techniques to deliver malicious code to the endpoint.

The Attackers Solution

Microsoft’s OneNote application has two great benefits to an attacker. It’s present anywhere M365 is being used and the application saves files in binary blobs with no limit on file contents.
By targeting the OneNote application, threat actors have identified a prolific and permissive delivery technique.

The Defenders Solution

Microsoft and other email providers offer the opportunity to block incoming file types. Unfortunately, most of these blocks occur based on the named extension of the file, not the file’s header. A secondary control would be to update the Windows extension associations for common file types to an innocuous association. E.g.; .vbs, .bat, .js, .PS1, and others would be associated with notepad.exe. This would prevent execution on-click.

The Anatomy of the Attack

  1. Attackers create a malicious .vbs script* and insert it into a OneNote notebook. They then insert a picture to hide the file, commonly a mock dialogue box reading “Click to allow editing”. Due to OneNotes’ rendering engine, clicking the image will allow the covered malicious file to be activated.
  2. With advancements in commodity phishing kits and the growth of Initial Access Broker markets, emails may come from legitimate trusted contacts who are unaware that their email has been exploited. Additionally, emails from advanced phishing kits may pass DKIM, DMARC, and SPF controls using fully authenticated and secured but misspelled domains. E.g.; Threat actors may send email from bob@p| with full SPF/DKIM records though the legitimate domain is
  3. This is the first opportunity for Defenders to block this attack. Besides ensuring that email is being assessed for SPF/DKIM/DMARC failures, Defenders may choose to block incoming attachment types. Microsoft provides great guidance for completing this within the Exchange Online Protection product. Commonly abused extensions include .zip, .iso, and .one, as well as common script extensions.
  4. User receives the malicious file and proceeds to download it. Once downloaded, the file will be opened and displayed using OneNote in a manner consistent with the attackers intent; meaning, the malicious script will be hidden behind whichever image the attacker has chosen.
  5. While an administrative control at best, users should receive continuous training exercises to help educate and practice the skill of identifying malicious attachments.
  6. OneNote will provide a warning about opening the file. Regardless, users are inundated with these warnings, especially within the M365 suite where Protect View often requires the user to select Enable Editing to interact with a document.

Opening attachments could harm your computer and data.

  1. To mitigate the execution of the malicious script within a shell commonly abused extension associations may be updated to innocuous applications. E.g.; Associate all common script types with notepad.exe. Home users may protect themselves with via the Windows 10 Settings app while Enterprise users can configure this setting via GPO or MDM, formerly Intune
* Any common script type may be utilized in Step 1. 

Advanced Mitigations

User Behavior Analytics

With products that can track the users behavior and assess parent-child app relationships, a model could be generated to prevent the execution of common script types when executed by the OneNote.exe executable.

Hex or Binary Attachment Assessment

While Windows decides how to treat a file based on the filename extension, some threat actors have been observed instructing victims to rename a file before attempting to execute. This is a common workaround by threat actors and users to circumvent email attachment control. A proper IDS or email filtering application should be able to identify the presence of a (.one) file using the file header e452 5c7b 8cd8 a74d aeb1 5378 d029 96d3.

A black terminal with green text. User has ran the xxd command on a malicious VBS and on a .one file. Pieces of the vbs scripts hex are clearly identified by grepping the .one file.
Alternatively, as the .one file is a binary blob, the remnants of uncompressed files are accessible as well. In the below screen shot, we can see that 4372 6561 the beginning of CreateObject is available in the .one file at offset 0x4700. A properly defined rule should be able to identify these and other strings within mail attachments.


While threat actors are always seeking out new ways to exploit the user, a simple and straight forward approach to Windows defaults, email attachment protections, and user education can help defeat this attack.

Popular posts from this blog

LibWebP (CVE-2023-4863)

Here is a non-exhaustive list of possible mitigations to prevent the exploitation of CVE 2023-4863 in the LibWebP library. This library has a heap buffer overflow available across all operating systems, most browsers, an exceptional number of Electron framework applications. This CVE is rated a 10 after previously being rated 8.8. This was due to an original disclosure from Google stating that Chrome was the only effected application. After investigation, it was discovered that all instances of the LibWebP library were vulnerable across all platforms. A similar CVE ( 2023-5217 ) is pending analysis for the VP8 webstream video format (a sister library to libwep.) As working proof-of-concepts are generally available to the public and Google and Apple both acknowledge threat actors and spyware vendors making use of the vulnerability, it is essential that you begin reviewing and patching all business critical applications. Patch Browsers, All of them All major and minor browsers acr

Show And Tell

Once a week, our security team gathers everyone into a meeting and shares the last week’s worth of security related news and any new security initiatives. This one hour may be the most valuable meeting we attend and has the greatest impact on successful security outcomes. What is it? We call ours a Security Show & Tell. (You can call it whatever fun and exciting name fits your corporate culture.) Regardless of the name, the goal is to set aside an hour each week to share three kinds of security stories and our response to them. Stories that are in the news. Stories that impact our work. Stories that impact our lives. Author’s Note: There’s some helpful tips below on how to gather these stories.  Why you should do it There’s a lot of great reasons to do this, but I want to drive home a few really important ones. How many times has this happened to you? You wake up, open , and begin scrolling only to find out that $Vendor has a nasty zero-day and organiza

Savory Dutch Babies

Ingredients: 1/4 Stick butter 1/2C AP flour 3/4C room temp milk 3 room temp eggs Salt pepper mace nutmeg allspice etc if you want it Blend it or whisk it until homogeneous  Put a castiron in a cold oven at 425°.  Remove when preheat finishes and melt in a 1\4 stick of butter.   Pour in batter.  Top with parm and fresh herbs.  Cook 15m.