Uptick In OneNote Phishing Attempts Observed

Summary

The NJCCIC observed an uptick in OneNote phishing emails consistent with open-source reporting. Historically, threat actors used malware-laden Microsoft Word or Excel attachments; however, this distribution method has become insubstantial since Microsoft disabled macros by default. Threat actors are now using Microsoft OneNote attachments in phishing emails to infect victims with various forms of malware and may attempt to steal credentials, funds, and PII. OneNote allows users to insert attachments into a Notebook that will launch the attachment when double-clicked, bypassing security tools. In one example, multiple OneNote phishing emails prompted the recipient to view the attached PDF file by clicking on the “REVIEW FULL DOCUMENT” text, which is hyperlinked to a fraudulent Microsoft Outlook login page in an attempt to steal the user’s credentials.

Recommendations

The NJCCIC recommends users and organizations educate themselves and others on these continuing threats and tactics to reduce victimization. Users are advised to refrain from responding to unsolicited communications, clicking links, or opening attachments from unknown senders, and exercise caution with communications from known senders. If unsure of the legitimacy, contact the sender via a separate means of communication, such as by phone, before taking any action. Additionally, phishing emails and other malicious cyber activity can be reported to the NJCCIC. Further details can be found in the BleepingComputer article.