HomeWinBuzzer NewsAttackers Are Trying to Steal Passwords via Microsoft OneNote

Attackers Are Trying to Steal Passwords via Microsoft OneNote

Attackers are utilizing OneNote Notebooks to quickly evolve their methods of password stealing, from phishing attacks to keyloggers.


Another day, another Office phishing campaign. This time, attackers are attempting to utilize OneNote to bypass Windows' phishing detection and install keyloggers on user's PCs.

As spotted by Cofense Intelligence, a threat actor has been performing a long-term campaign that uses notebooks hosted in OneDrive to attack victims. Due to the inherent productivity enhancements of Microsoft's software, they were able to update notebooks regularly with different intrusion methods and better evade spam filters.

The attack starts with an email from a supposed marketing manager with a link to an order request invoice. This could then lead to a Forms page with email and password boxes as a fake login, or links that ultimately lead to the installation of the Agent Tesla Keylogger. Others falsely asked targets to “auto verify” a OneDrive account that wasn't synced with their organization's backups.

The malware was installed via an encrypted binary that was decrypted and run in memory. Due to the inherent trust in platforms like OneNote, this could let attackers bypass some protections by Microsoft Exchange or FireEye.

Ultimately, many of these attacks proved unsuccessful on Cofense test machines due to incorrect malware configuration and other mistakes that pointed to inexperience. However, more canny attackers could still use this vector in the future.

“Based on the inherent risk posed by trusted sources, traditional protections trained against OneNote and similar services may prove ineffective,” said Cofense. “If not properly addressed, this could pave the way to a prolific infection vector for malware.”

The best way to avoid these attacks is always to be cautious about the links you click, only opening email from trusted and verified senders. With hope, though, Microsoft will expand its efforts to mitigate this problem.

Ryan Maskell
Ryan Maskellhttps://ryanmaskell.co.uk
Ryan has had a passion for gaming and technology since early childhood. Fusing the skills from his Creative Writing and Publishing degree with profound technical knowledge, he enjoys covering news about Microsoft. As an avid writer, he is also working on his debut novel.