Threat actors are increasingly using OneNote attachments in phishing emails to infect users with remote access malware that can be used to install other software, steal passwords or even cryptocurrency wallets.
For years, attackers have distributed malware in emails through malicious Word and Excel attachments that trigger macros to download and install malware.
In July, however, this approach to spreading viruses was rendered unreliable when Microsoft finally disabled macros by default in Office documents.
Malware using Microsoft OneNote

Soon after, threat actors started using new file formats, including ISO images and password-protected ZIP files. These file formats quickly gained popularity, assisted by a Windows issue that allowed ISOs to circumvent security warnings and the popular 7-Zip archive utility’s failure to propagate mark-of-the-web flags to files extracted from ZIP archives.

However, both 7-Zip and Windows had resolved these flaws, which caused Windows to display frightening security warnings when a user tried to access files in downloaded ISO and ZIP files.

FREE Cybersecurity Status Self-Assessment

Threat actors, undeterred, soon adopted a new file type in their malicious email (malspam) attachments: Microsoft OneNote attachments.
Microsoft OneNote is a free desktop digital notebook program that comes with Microsoft Office 2019 and Microsoft 365.

Malware using Microsoft OneNote

Because Microsoft OneNote is installed by default in all Microsoft Office/365 installations, even if a Windows user does not use the program, the file format is still accessible.

Since mid-December, cyber security experts have warned that threat actors have been circulating dangerous spam emails with OneNote attachments.

According to BleepingComputer samples, these malspam emails masquerade as DHL delivery alerts, invoices, ACH remittance forms, mechanical drawings, and shipping documentation.

Unlike Word and Excel, OneNote does not allow macros, which threat actors previously used to execute scripts that installed malware.

Instead, OneNote users can enter attachments into a NoteBook that will launch the attachment when double-clicked.

Threat actors are exploiting this functionality by adding malicious VBS attachments that, when double-clicked, activate the script and download and install malware from a remote site.

However, since the attachments resemble the symbol of a file in OneNote, the threat actors place a large ‘Double click to see file’ bar above the injected VBS attachments to disguise them.

Fortunately, when you start OneNote attachments, the software cautions you that doing so may cause damage to your machine and data.

Unfortunately, experience has shown that these sorts of notifications are often disregarded, with users just clicking the OK button.

The VBS script will start downloading and installing malware when you click the OK button. The script will download and execute two files from a remote site, as shown in one of the malicious OneNote VBS scripts discovered by BleepingComputer.

The first is a bogus OneNote document that opens and looks just like the one you anticipated. The VBS code, however, will also run a malicious batch file in the background in order to install malware on the device.

Malware using Microsoft OneNote

Defending against these dangers.

Once installed, this type of malware allows threat actors to remotely access a victim’s computer to steal data, saved browser passwords, screenshots and, in some cases, video via webcams.
Threat actors are also widely using remote access Trojans to steal cryptocurrency wallets from victims’ devices, making this a pricey infection.
The easiest approach to avoid malicious attachments is to avoid opening files from people you do not know. However, if you do accidentally open a file, do not ignore any warnings that the operating system or program may display.
If you receive a warning that opening an attachment or clicking a link could damage your computer or data, simply do not click OK and close the program.
If you believe it is a valid email, forward it to a security or Windows administrator who can assist you in determining if the file is secure.


Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.


About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

This website uses cookies to improve your online experience. By continuing, we will assume that you are agreeing to our use of cookies. For more information, visit our Cookie Policy.

Privacy Preference Center