Microsoft OneNote files are once again being used to spread malware — how to stay safe

A graphic displaying computer code with a Malware warning in the middle
(Image credit: solarseven/Shutterstock)

Hackers are once again using malicious Microsoft OneNote files to infect unsuspecting users with the QBot malware which can steal financial info, browser data and even passwords.

While QBot originally started out as a banking trojan, it evolved into malware that’s used to gain initial access to a victim’s device — according to BleepingComputer. From there, it can be used to load other malware or even ransomware on a compromised computer.

Hackers first began attaching malicious OneNote files to their phishing emails last month after Microsoft disabled macros in Office documents. What makes this new attack method particularly dangerous is the fact that an attacker can embed almost any file when creating a malicious OneNote document. 

Weaponizing OneNote documents

The QBot malware is currently being distributed through phishing emails that include a malicious OneNote file as an attachment. The attackers behind this campaign are also using social engineering in order to get users to click on VBS attachments or LNK files including in these OneNote Notebooks.

a magnifying glass enlarges the OneNote app icon in a window

(Image credit: Shutterstock)

Once a user clicks on a button that says “Double Click to View File” inside a OneNote Notebook, the attachments embedded in the file execute commands on their PC that download and install the QBot malware.

According to a new report from Sophos, the hackers behind this campaign are also hijacking email threads and using the “reply-to-all” feature to spread their malicious OneNote files. In this case, a fake button inside the Notebook file that reads “Open” is used to run any attachments included by the attackers.

How to stay safe from malicious email attachments

Just like with other malware and phishing campaigns in the past, you need to be extra careful when dealing with emails from unknown senders and avoid downloading or opening any attachments they may include.

If you use Microsoft OneNote for work or school, you’re more likely to open a malicious NoteBook which is why you may want to consider using another note taking app for the time being.

someone trying to open a spam email

(Image credit: TippaPatt / Shutterstock)

Even if you do accidentally click on one of the fake buttons in these malicious OneNote files, the best antivirus software can help protect your system from becoming infected with malware. Likewise, the best identity theft protection can help people who have been scammed and lost money as the result of a cyberattack.

Cybersecurity is often like a game of cat and mouse. When companies like Microsoft change their software so that it can’t be used maliciously, hackers then come up with a new attack method that has a higher chance of successfully infected unsuspecting users with malware and other viruses. This likely won’t be the last we see of the QBot malware which is why you need to be careful when dealing with any email attachment — even those from people you know.

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.