A recent phishing campaign has been discovered to be using Microsoft’s OneNote digital notebook program, which auto-saves and synchronises noted to get past detection features in order to get malware onto target’s systems.
The malicious attack used OneNote to experiment with a series of lures that linked to webpages designed to harvest credentials, delivered the Agent Tesla keylogger onto systems to steal them, or utilised a combination of both strategies. The first attack began with emails to intended victims containing a link to a OneNote document.
US-based company Cofense, an expert in protecting and preventing phishing attacks, has offered a full breakdown of the strategy compiled by its technical research departments. In its recent analysis, Cofense commented:
“Thanks to the ease of use and accessibility of OneNote, the threat actor was able to update a ‘phishing notebook’ multiple times a day, experiment with various intrusion methods, and improve the odds to successfully evade email security controls. Numerous Agent Tesla Keylogger payloads as well as links to different credential phishing websites were included in the campaign.”
The original email sent in the attack falsely pretended to be an order invoice sent by a company marketing manager. Within the body copy of the email, a tiny link was included to the fake order invoice, which when clicked on would take recipients to a OneNote document. Researchers observed that over a two-week period, the attackers altered the OneNote page’s layout, cycling through a total of four separate templates allowing them to deliver unique samples of malware, as well as a phishing portal for stealing credentials.
The capability of OneNote to easily allow its users to create a diverse range of templates can be exploited by threat actors, who may employ it to customise their attacks for different targets, making it a handy new tool in their arsenal. Utilising OneNote in phishing campaigns is also beneficial to cybercriminals as it allows them to penetrate many traditional defences protected by FireEye and Microsoft exchange Online protection enterprise gateways. Researchers said:
“Based on the inherent risk posed by trusted sources, traditional protections trained against OneNote and similar services may prove ineffective.
“If not properly addressed, this could pave the way to a prolific infection vector for malware.”
Along with OneNote documents being hosted via OneDrive, threat actors have also been known to employ an extensive range of cloud-based hosting sources for schemes to capture credentials. These trusted documents have been hosted on Microsoft SharePoint, Microsoft Sway, Google and Zoho Docs.
Every enterprise is strongly advised to keep their employees informed on the latest phishing campaigns being employed by malicious attackers. Keeping on top of your system updates and always using the latest version of technology from Microsoft is essential when you want to keep your business safe. As experts in Microsoft products, like SharePoint and Office 365, WM Reply can help support your company by creating safe and secure solutions to your business problems. For more details, contact our specialist team today.