HomeWinBuzzer NewsMicrosoft OneNote Attachments are Being used by Hackers to Target Victims

Microsoft OneNote Attachments are Being used by Hackers to Target Victims

A new malware phishing campaign is using OneNote attachments to trick users into double-clicking and installing malware.


Security researchers are warning users that hackers are using a file format that looks like a attachment to deliver malware to victims. If someone double clicks the attachment, they will automatically launch the malware script, with remote downloading and installing on the target machine.

firm Trustwave initially found and reported on the issue in December and is issuing an update this week.

“We uncovered threat actors using a OneNote document to move Formbook malware, an information stealing trojan sold on an underground hacking forum since mid-2016 as malware-as-a-service,” Trustwave says in its blog.

“One file type that caught our eye on December 6, 2022, was the aforementioned OneNote attachment, with a .one extension attached to a spam email in our telemetry system.”

Bleeping Computer built on the initial report with its own investigation that shows the attachments mask their malicious content by mimicking legitimate business emails. For example, mechanical drawings, and invoices. Furthermore, this is an extension of the DHL shipping phishing campaign I reported on last week.

According to researchers, over 10,000 emails have been sent to customers. It seems all the emails were sent to a “private education institution”. The email carries the title “DHL Shipping Document/Invoice Receipt” and informs the receiver that a customer has sent a parcel to the wrong address.

It asks for a correct address to be given so the recipient can receive the package. There is an attachment titled “Shipping Document Invoice Receipt”. When this is opened, there is a blurred file. A login page then appears and requests the victim to add their Microsoft 365 account credentials.

New Hack

While this OneNote hack is separate, DHL is once again once again involved in tricking customers. The double click is important towards grabbing victims, so the threat actors use an image to entice users to interact with the attachment.

What is interesting is OneNote is being used as the delivery. is often used, but OneNote is usually ignored in favor of Word or PowerPoint.

“In sum, a WSF file embedded in a OneNote document is likely to fly under the radar,” Trustwave says. “It also means that OneNote can now join the list of other Office Documents that need to be inspected for malicious components. As mentioned earlier, it's not typical to see .one files attached to emails. As a mitigation step, organizations should consider blocking or flagging inbound email attachments with a .one extension.”

Tip of the day: When Windows 10 or Windows 11 has issues, it's not rare to run into startup problems. Corrupted Windows files, incorrect system configuration, driver failure, or registry tweaks can all cause this issue.

Using Windows startup repair can fix boot issues caused by the most prevalent issues. Though it may seem that all is lost when you run into startup problems, it's important to try a Windows boot repair so you can at least narrow down the source of the issue. If it doesn't work, you may have to reinstall the OS or test your hardware.

Last Updated on January 25, 2023 2:18 am CET

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.