The seemingly innocuous Microsoft OneNote file has become a popular file format used by hackers to spread malware and breach corporate networks. Here’s how to block malicious OneNote phishing attachments from infecting Windows.
To give a little background on how we got to Microsoft OneNote files becoming the tool of choice for malware-distributing phishing attacks, we first need to explain how we got here.
Threat actors have been abusing macros in Microsoft Word and Excel documents for years to download and install malware on Windows devices.
After Microsoft finally disabled macros by default in Word and Excel Office documents, threat actors began turning to other less commonly used file formats to distribute malware, such as ISO files and password-protected ZIP archives.
These were popular file formats as a Windows bug allowed files in ISO images to bypass Mark-of-the-Web (MoTW) security warnings, and the popular 7-Zip archive utility did not propagate MoTW flags to files extracted from ZIP archives.
However, after both 7-Zip and Windows fixed these bugs, Windows once again began displaying scary security warnings when a user attempted to open files in downloaded ISO and ZIP files, causing threat actors to find another file format to use in attacks.