Malware spread through Microsoft OneNote attachments allows hackers to remotely access a victim’s device, stealing passwords, taking screenshots, and recording video using a device’s webcam.
As reported by BleepingComputer, hackers are using different phishing tactics to install and execute malware onto unsuspecting victims’ devices. Previously, threat actors would sneak malware into emails via Word or Excel attachments. However, Microsoft has put a stop to this practice by disabling macros by default, which were used to install malware.
Now, attackers have found a new file format to exploit. Microsoft OneNote, a digital notebook application, is downloaded by default as part of Microsoft’s Office suite. While it does not support macros, it allows users to insert attachments into a Notebook. Double-clicking a Notebook will launch an attachment, which is where the danger lies.
Hackers are using malicious attachments that will download and install malware as soon as they are launched and luring users into double-clicking by overlaying an attachment with a “Double Click to View File” bar.
As stated in the report, the OneNote attachments install remote access Trojans, which can steal personal and financial information. Furthermore, the Trojans can steal cryptocurrency wallets from devices.
How the OneNote malware spreads
As with many phishing methods, hackers use various communication platforms to dupe users into downloading malware. The main form of spreading this malware appears to be through malicious spam emails containing the infected OneNote attachments while being under the disguise of well-known companies.
One example includes a suspicious email from shipping company DHL, asking the user to “urgently confirm” the attached DHL shipping documents to see if the address is correct. The document attached is a OneNote file, which hides the malware.
Cybersecurity researchers first saw this surge in OneNote documents being used by hackers in December 2022, with Trustwave stating that the “Formbook” malware sold as malware-as-a-service in 2016 on an underground hacking forum. Clearly, the malware is still causing harm.
Stay away from OneNote attachments
It’s a good idea to ignore any suspicious emails you receive with a OneNote attachment. These days, it’s unlikely a company will send a OneNote document for users to open, so this is a big sign that it’s likely a malicious email. Spam mail will often have a few irregularities, including typos, misspellings, strange-looking email addresses, and requests for you to take action or provide your personal information. This can lead to users unknowingly downloading malware or handing over their private data.
The good news is Microsoft OneNote displays a security warning before opening harmful files, stating that “opening attachments could harm your computer and data.” If this is displayed, do not open the file and ignore the email. You can also reach out directly to the company to see whether the email is genuine.
As always, an effective way to stay safe is to use antivirus software like Bitdefender. This will scan for any malware hiding on your device and even has anti-phishing software to keep malicious messages at bay. Find out how to choose the best antivirus software for you. If you’re wondering if someone can hack your phone by texting or if a PDF can have a virus, we’ve got you covered.
