Emotet and Other Malware Shifting Tactics to OneNote Files

Emotet, a notorious and dangerous malware strain, has re-emerged after a period of dormancy. Its new iteration exhibits enhanced capabilities, notably evading macro security features and employing a method of delivery made popular by the malware QakBot, as previously reported by Nuspire. Here’s what you need to know.

What is the situation?

After Microsoft disabled VBA macros by default, threat actors have shifted toward the use of OneNote (.one) email attachments to bypass restrictions and filtering.

Multiple malware families such as AsyncRAT, IcedID, RedLine Stealer and XWorm have now also piggy-backed on this tactic, shifting their phishing attacks to OneNote files.

The phishing email will provide an assortment of lures from invoices, tax, legal documents and more. Ultimately, they encourage the potential victim to open the .one file, where they will be presented with a banner that says, “This document is protected. Double click to view.” Under that banner, where the user is instructed to double-click, is an embedded malicious script file that will execute when interacted with.

Attackers are using this tactic to compromise computer systems targeting businesses and individuals worldwide.

What is Nuspire doing?

Nuspire has detections in place and actively threat hunts client environments for indications of compromise regarding suspicious OneNote executions.

What should I do?

Organizations should still be wary of malicious Microsoft Word and Excel files, but the tactics are shifting heavily toward OneNote in the current threat landscape. The Cybersecurity and Infrastructure Security Agency (CISA) states that 90% of all cyberattacks begin with phishing, making this one of the top threats to consider.

  • If your organization does not regularly use OneNote within your environment, consider blocking .one files within your email firewall to prevent delivery to users.
  • Provide ongoing cybersecurity awareness training to your employees with a focus on recognizing phishing emails, avoiding suspicious attachments and reporting unusual activity. Ensure your users understand to be extremely cautious around OneNote files.
  • Implement a robust endpoint detection solution with heuristics and behavioral detections.

Have you registered for our next event?