The New Face Of Phishing
A recent Varonis report by researcher Tom Barnea exposes a rising threat: cyber criminals exploiting Microsoft OneNote to launch “native” phishing campaigns via Microsoft 365. OneNote is a well-established digital note-taking app that provides a single place for keeping users' reminders, research and project information.
These attacks exploit trust in legitimate collaboration tools, combining social engineering and cloud infrastructure to bypass traditional defences.
This new attack vector uses shared OneNote notebooks to deliver embedded malware or credential‑stealing links, all concealed beneath innocuous-looking surfaces, exploiting users’ confidence in trusted ecosystems.
Why OneNote?
After Microsoft disabled macros in Office documents in mid‑2022, threat actors pivoted to alternative file types. OneNote emerged as ideal: pre‑installed with Office or 365, commonly used in organisations, and not flagged as suspicious by email gateways. Crucially, OneNote files can embed attachments - VBScript, HTA, BAT, and LNK files - hidden behind buttons that mimic legitimate prompts.
When users click “Double‑click to view,” they unwittingly execute malicious code that may download RATs, steal credentials, or implant further malware.
Anatomy Of An Attack
Campaigns often mimic shipping notifications, invoices or internal memos. The OneNote notebook appears to contain a benign document, but embedded scripts drop malware payloads (e.g., AsyncRAT, Redline, AgentTesla, Qakbot, IcedID, DOUBLEBACK) upon user interaction. These attachments - camouflaged with PNG or PDF icons - launch scripts via batch or PowerShell, and then fetch remote executables via Temp folders or hidden HTA files
In many cases, antivirus tools failed to detect the OneNote-hosted payloads, demonstrating the evasion efficacy of behavioural rather than signature‑based defences.
The Human Factor
The attack hinges on social engineering. These campaigns are effective because users trust Microsoft 365 files sent within familiar workflows. Even when OneNote warns that an attachment may compromise security, users often ignore the alert. Moreover, nested attachments (batches calling HTA executing PowerShell deploying malware) obscure the threat chain .
Reddit commentators corroborate these findings. One noted. “It’s dumber than it sounds. You can drag and drop a .vbs or .js file right on top of a Onenote file… Crazy part is you can put a big blue piece of text… and the clicks run the executable.” Another warned: “If you don’t use .one… delete on sight any messages with one attached - no matter who they are from.”
Scale & Actors
The tactic has proliferated since December 2022. Proofpoint recorded just six campaigns then, rising to over fifty by January 2023. Notable malware families included AsyncRAT, Redline, AgentTesla, DOUBLEBACK—and notably, Qakbot via TA577.
This technique now spans banking malware, RATs, and infostealers; telemetry shows infections across sectors including manufacturing, telecoms and high tech.
Defences & Mitigation
Varonis advises a layered defence: enforce multi‑factor authentication (MFA), tighten conditional access, and adjust sharing settings to restrict unwarranted access. They stress user‑centric awareness campaigns that teach staff to hover before clicking and never move through links in unsolicited OneNote notebooks.
Technical controls include blocking inbound .one attachments at mail‑gateway level, deploying behavioural‑based endpoint detection, and implementing threat‑hunting rules to flag unusually opened OneNote files in temporary folders ([withsecure.com][8]). Default warnings in OneNote can be suppressed by users—so monitoring execution events for scripts is essential.
The Verdict
OneNote‑based phishing epitomises how attackers exploit living‑off‑the‑land techniques and no‑code tools within cloud ecosystems. By hiding malicious payloads in ostensibly benign collaboration artefacts, they can outflank signature‑based defences. As Varonis puts it: “It’s not just about securing systems; it’s about securing people” .
Defence demands both technical vigilance - blocking suspicious file types, tightening sharing protocols, deploying behavioural detection - and ongoing user education. The moment a malicious notebook lands in an inbox, the window for exploitation opens.
To meet the challenge, organisations must adapt their strategies: trust, in this context, is both a feature - and a vulnerability.
Varonis | DeskVIP | Barracuda | Trellix | Proofpoint | Reddit | Reddit | WithSecure | Reply
Image: Ideogram
You Might Also Read:
If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquiries: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible
