As spotted by Cofense Intelligence, a threat actor has been performing a long-term campaign that uses notebooks hosted in OneDrive to attack victims. Due to the inherent productivity enhancements of Microsoft's software, they were able to update notebooks regularly with different intrusion methods and better evade spam filters.
The attack starts with an email from a supposed marketing manager with a link to an order request invoice. This could then lead to a Google Forms page with email and password boxes as a fake login, or links that ultimately lead to the installation of the Agent Tesla Keylogger. Others falsely asked targets to “auto verify” a OneDrive account that wasn't synced with their organization's backups.
The malware was installed via an encrypted binary that was decrypted and run in memory. Due to the inherent trust in platforms like OneNote, this could let attackers bypass some protections by Microsoft Exchange or FireEye.
Ultimately, many of these attacks proved unsuccessful on Cofense test machines due to incorrect malware configuration and other mistakes that pointed to inexperience. However, more canny attackers could still use this vector in the future.
“Based on the inherent risk posed by trusted sources, traditional protections trained against OneNote and similar services may prove ineffective,” said Cofense. “If not properly addressed, this could pave the way to a prolific infection vector for malware.”
The best way to avoid these attacks is always to be cautious about the links you click, only opening email from trusted and verified senders. With hope, though, Microsoft will expand its efforts to mitigate this problem.