Malicious actors exploit frequent feature updates to OneNote by Microsoft to use double-clicks on spam emails, which automatically runs a script, installing malware from remote sites into the user’s computer.

OneNote is one of the highly popular components of the Microsoft 365 package that is even now being updated by the company. However, the frequent beta testing of the product has resulted in hackers exploiting vulnerabilities for phishing-based malware attacks. Now security professionals have set warning bells about malicious actors using OneNote attachments to surreptitiously install malware into user devices.

The warning was initially sent through a tweet by Perception Point Attack Trends, reporting on the vulnerability. The malware can be used not only to steal passwords but also to attack cryptocurrency wallets or even install other additional software on an unsuspecting user’s device.

Initially, Microsoft removed the use of macros in its Office documents, cutting off hackers from using Excel and Word documents for spreading malware. Furthermore, Microsoft has also disabled users from accessing zip and ISO files without first going through security warnings.

Here Is How the Attack Works

Hackers have found ways to circumvent the block on macros, delivering malware. The emails designed for phishing can include things such as fake invoices, deliveries, or notifications, among others. 

In most cases, the emails will have blurred-out images with text stating ‘Double Click to View File.’ However, doing so actually runs a malicious Visual Basic script file that starts communications with a remote server to install malware, including a variety of trojans.

Microsoft has already halted cryptocurrency mining on its platform, which has often been linked to unauthorized account access. This has significantly reduced cloud service degradation and disruption.

However, to adequately protect themselves, it is vital for OneNote users not to disregard warnings by the application and use multi-factor authentication, antivirus, and firewalls wherever possible. It is also crucial that they do not download attachments from email links they are not familiar with.

This article first appeared in Spiceworks on February 3, 2023, written by Anuj Mudaliar.