Significant Increase in Malicious Files Delivered via OneNote Attachments

Received this email from one of our security vendors, Arctic Wolf a couple days ago. Seems like an exceptionally easy way for malware to make it into your network, so I figured I’d share as we’ve blocked these across the board as well. Not really sure why someone would really need to send OneNote attachments on a regular basis anyway.


Arctic Wolf observed a significant increase in the number of malicious files delivered and opened via OneNote email attachments. Unlike malicious Word and Excel files, infected OneNote files do not require the security prompt asking the end-user to allow macros, thus increasing the chances of unknowingly running the malicious executable.

Arctic Wolf has detections for common post-compromise activities associated with this threat. To ensure that the necessary telemetry is being gathered as part of the Arctic Wolf Managed Detection and Response service, please review our recommendations in this bulletin.

Threat Details

OneNote attachments are delivered via email with encouragement for the end-user to click on the button to download the attachment and view the document. The malicious OneNote files contain an embedded HTA application that is executed when an unsuspecting user clicks on the “Open” or “View” button.

The code in the malicious HTA file typically leverages a system process, such as mshta.exe or cmd.exe, to contact a malicious URL. This may be achieved using curl.exe or powershell.exe processes, in order to download the second stage malware. This second stage malware is often used by threat actors as a backdoor into the endpoint and network.

A common OneNote tactic may involve the following steps:
1.   OneNote attachment sent via email.
2.   User clicks to retrieve the attachment.
3.   HTA application launches curl.exe to malicious URL.
4.   A malicious DLL is downloaded and saved with an extension of .png or .jpg.
Note: The URL sometimes references a .gif despite saving a different extension locally.
5.   The downloaded malicious DLL is loaded via rundll32.exe.
6.   Qakbot infection is established.


Recommendation #1: Block .one Attachments via Email Gateway

We strongly recommend blocking all .one attachments at your email gateway. If using Microsoft 365, please reference the Microsoft documentation on how to accomplish this. You will need to manually add the .one extension after enabling the “common attachments filter” option in the “Anti-malware” policy in the Office 365 Defender portal. If using another email gateway solution, consult with your vendor.

Arctic Wolf Customer Email

Update 4/20/2023: A couple weeks ago Microsoft announced that dangerous filetypes and macros will be blocked in OneNote documents, similar to how they are blocked in Excel and Word documents.

Leave a Reply