Hackers are using Microsoft OneNote files to steal your data — how to stay safe

an image of the OneNote app
(Image credit: Shutterstock)

Threat actors are always looking for ways to get malware into your system, and it often seems like they have a limitless pool of ingenuity to fall back on. This time they’ve been caught trying to spread malware via Microsoft OneNote attachments in phishing emails — specifically remote access malware.

It’s been long known that attackers have used Microsoft Office files to spread malware for many years, particularly Word and Excel attachments. Microsoft finally took some action last July, disabling Office documents’ macros by default and making it an unreliable way to infect unsuspecting recipients. 

Undeterred, attackers switched to using ISO images and ZIP files, exploiting bugs in Windows and 7-Zip. Now those security holes have also been fixed, and it seems OneNote attachments are becoming the weapon of choice.

According to Bleeping Computer (opens in new tab) the various phishing emails are pretending to be things like shipping notifications, invoices, mechanical drawings and other innocuous files. But since OneNote doesn’t support macros, attackers have had to get creative in how they get the file to install malware.

Apparently this is down to OneNote features that allows users to add attachments to a notebook. The attached OneNote file appears to be blurred out, with a large button that says “Double Click to View File." But double clicking this button runs the file’s attachment, which is a malicious Visual Basic Script (VBS) file. That VBS is then able to download malware from a remote site and install it on your machine.

OneNote will warn you about the dangers of opening files from unknown sources, but its effectiveness relies on the user actually paying attention. The VBS file will also download and display a decoy OneNote document once activated, making you none the wiser about what’s just happened.

Bleeping Computer found that the files end up stealing remote access trojans, allowing attackers to access your device and steal just about anything. Files, saved passwords, crypto wallets, webcam footage and so on.

The best way to stay safe from these kinds of attacks is to not open files from anyone you don’t actually know — especially OneNote files. On top of that, if you ever do open an unknown file, you need to listen to all the warnings that may pop up, all for your own safety.

Tom Pritchard
Automotive Editor

Tom is the Tom's Guide's Automotive Editor, which means he can usually be found knee deep in stats the latest and best electric cars, or checking out some sort of driving gadget. It's long way from his days as editor of Gizmodo UK, when pretty much everything was on the table. He’s usually found trying to squeeze another giant Lego set onto the shelf, draining very large cups of coffee, or complaining that Ikea won’t let him buy the stuff he really needs online.