Threat actors are always looking for ways to get malware into systems, and they often seem to have endless ingenuity. In this case, the attacker was caught trying to spread malware via a phishing email attached to Microsoft OneNote.

It has been known for years that attackers have been using Microsoft Office files, especially Word and Excel attachments, to spread malware. Last July, Microsoft finally took some action by disabling macros in Office documents by default as an unreliable way to infect unsuspecting recipients.

Despite this, attackers switched to using ISO images and ZIP files, exploiting bugs in Windows and 7-Zip. Now that these security holes have been fixed, it appears that OneNote attachments are becoming the weapon of choice.

According to Bleeping Computer (opens in new tab), various phishing emails pose as shipping notices, invoices, mechanical drawings, and other such innocuous files. However, OneNote does not support macros, so attackers had to devise a way to retrieve the files in order to install malware.

Apparently, this is due to OneNote's ability to allow users to add attachments to their notebooks. Attached OneNote files appear blurry and have a large button that says "Double Click to View File." However, double clicking this button executes the file attachment, which is a malicious Visual Basic Script (VBS) file. This VBS can download malware from a remote site and install it on your machine.

OneNote warns about the dangers of opening files from unknown sources, but its effectiveness depends on the user actually paying attention. Also, the VBS file, once activated, downloads and displays a decoy OneNote document and does not make the user smart about what just happened.

Bleeping Computer discovered that this file steals a remote access Trojan horse that allows attackers to access your device and steal all sorts of things. files, stored passwords, crypto wallets, webcam footage, and more.

The best way to protect yourself from this type of attack is to not open files from people you don't actually know, especially OneNote files. On top of that, if you do open an unknown file, you need to listen to the warnings that pop up for your own safety.