---
title: "Threat Actors Using Malicious OneNote Attachments to Spread Malware via Phishing Emails | Phish Protection"
description: "Threat Actors Using Malicious OneNote Attachments to Spread Malware via Phishing Emails: Threat actors have switched to a new type of file for their."
image: "https://phishprotection.com/og/blog/threat-actors-using-malicious-onenote-attachments-to-spread-malware-via-phishing-emails.png"
canonical: "https://phishprotection.com/blog/threat-actors-using-malicious-onenote-attachments-to-spread-malware-via-phishing-emails/"
---

Quick Answer

Threat actors have switched to a new type of file for their \*\*malicious\*\* purposes, this time in the form of Microsoft \*\*OneNote attachments\*\* in emails to deploy information-stealing \[malware\](/content/protection-against-malware/what-is-malware). Join us as we provide an in-depth view into the new attack campaign and how to protect against it.

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fthreat-actors-using-malicious-onenote-attachments-to-spread-malware-via-phishing-emails%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Threat%20Actors%20Using%20Malicious%20OneNote%20Attachments%20to%20Spread%20Malware%20via%20Phishing%20Emails&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fthreat-actors-using-malicious-onenote-attachments-to-spread-malware-via-phishing-emails%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Fthreat-actors-using-malicious-onenote-attachments-to-spread-malware-via-phishing-emails%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fthreat-actors-using-malicious-onenote-attachments-to-spread-malware-via-phishing-emails%2F&title=Threat%20Actors%20Using%20Malicious%20OneNote%20Attachments%20to%20Spread%20Malware%20via%20Phishing%20Emails "Share on Reddit") [ ](mailto:?subject=Threat%20Actors%20Using%20Malicious%20OneNote%20Attachments%20to%20Spread%20Malware%20via%20Phishing%20Emails&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Fthreat-actors-using-malicious-onenote-attachments-to-spread-malware-via-phishing-emails%2F "Share via Email") 

![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2023/10/Email-Phishing-Statistics.png) 

Threat actors have switched to a new type of file for their **malicious** purposes, this time in the form of Microsoft **OneNote attachments** in emails to deploy information-stealing [malware](/content/protection-against-malware/what-is-malware). Join us as we provide an in-depth view into the new attack campaign and how to protect against it.

The growing cybercriminal wave and headlines of **novel attack campaigns** have a new addition, this time in the form of OneNote attachments. Threat actors have evolved their phishing campaigns and are using OneNote attachments that infect the victim systems with malware to gain [remote access](https://www.hpe.com/us/en/what-is/remote-access.html) to gain access for malicious purposes.

Word and Excel attachments have been leveraged in phishing emails in the past, but the new wave of OneNote attachments should have individuals and **organizations attentive**. Let us see how threat actors are doing this and show you how to protect yourself.

![Email Phishing Statistics](https://media.mailhop.org/phishprotection/images/2023/10/Email-Phishing-Statistics.png) 

### Why are Threat Actors Using OneNote Attachments to Drop Malware?

Microsoft **disabled** default macros that were used in Office documents to thwart the attack campaigns where [cybercriminals](/blog/cybercriminals-are-duping-millions-of-accounts-in-the-latest-facebook-phishing-campaign/) leveraged Word and Excel.

Following the disabling, threat actors have been utilizing various file formats to drop malware using phishing emails. From ISO (International Organization for Standardization) images, **password-protected ZIP** (Term used for files merged and compressed files) files, and other methods, the [threat actors](/blog/threat-actors-using-phishing-as-a-service-phaas/) were able to use additional file formats as **bugs** in Windows allowed ISOs to bypass security warnings, and the 7-ZIP archive utility did not propagate mark of the web flags to the files that were extracted from the ZIP archives.

7-Zip and Windows fixed all the bugs where Windows **alerted** with security warnings when any individual attempted to open the files downloaded in ISO and ZIPs. \_Since ISO and ZIP files were rendered unusable to drop malware, threat actors have now switched to OneNote attachments for their malicious purposes. \_

Microsoft OneNote is one of the **most popular** applications by the tech giant, allowing individuals to create a [digital notebook](https://www.igi-global.com/dictionary/digital-notebook/50837#:~:text=1.,information%20from%20disparate%20online%20sources.). Available for **free**, the application is included in Microsoft Office 2019 and later and [Microsoft 365](/phishing-awareness/microsoft-365s-new-phishing-simulation-to-check-organizations-email-security-posture). Since the application is installed by default via Microsoft Office 365, individuals who do not utilize the application can still open OneNote files.

### The Latest OneNote Attachment Phishing Attacks at a Glance

> “over 90% of ransomware attacks begin with a phishing email ([Verizon 2024 Data Breach Investigations Report](https://www.verizon.com/business/resources/reports/dbir/)) email. Blocking the phishing email is the most effective ransomware prevention strategy available - it stops the attack at the earliest possible stage, before any malware reaches your network. Every ransomware incident we’ve investigated started with an email that should have been caught.” - **Vasile Diaconu**, Operations Lead, DuoCircle

Since the middle of December 2022, security **researchers** at Trustwave SpiderLabs have been[warning individuals](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/)of threat actors distributing malicious spam and **phishing emails** with OneNote attachments.

The email campaign is highly **sophisticated**, where the threat actors send [phishing](/resources/what-is-phishing) emails impersonating DHL shipping , sending notifications, invoices, mechanical drawings, shipping documents, and ACH remittance forms to the victims.

OneNote does not support [macros](https://www.javatpoint.com/what-is-macros) like Word and Excel, so the older tactic is useless. However, OneNote allows individuals to insert **NoteBook attachments** that are launched automatically when it is opened. Using this **automatic launch**, threat actors have been adding malicious VBC attachments to the script to execute automatically when any victim opens the file.

### Malware and Trojans: The Capabilities of the OneNote Attachments

The VBC attachments look like a **file icon** in OneNote and download malware from a **remote site**. _To take care of the file icon giveaway, threat actors overlay a bar over the inserted VBS attachments to obfuscate them with a “Double Click to View File” bar._

The malicious [attachment](https://informationsecuritybuzz.com/opening-of-email-attachment-led-to-hse-cyber-attack-report-finds/) is a cascaded one as once an individual tries to move the “Click to View Document” bar, **multiple** attachments are revealed in a row which is triggered to launch if a user **double clicks** anywhere on the said bar.

OneNote **warns** individuals that opening attachments can harm the computer or data. However, users are quick to dismiss or ignore such prompts, leading to the launch of the **VBS script** that downloads and installs the malware. In some cases, the script downloads and executes two files from the server and also executes a malicious batch file that runs the [installer](https://www.computerhope.com/jargon/i/installer.htm) in the background.

The malicious OneNote files install [RATs (Remote Access Trojans)](https://thehackernews.com/2022/08/meet-borat-rat-new-unique-triple-threat.html) that allow the threat actors to **exfiltrate** information from the victim’s devices. The Trojans installed by the attachments are AsyncRAT and XWorm . However, samples of the Quasar RAT have also been discovered.

### What can the OneNote Attachment Delivered RATs do to Your System?

The malware that is installed on the **victim’s devices** is highly sophisticated software that allows the threat actors to gain **unauthorized access** and control over a victim’s computer and exfiltrate information, allowing the threat actors to **steal** sensitive information, install additional malware, or use the infected computer as part of a more prominent [botnet](https://www.paloaltonetworks.com/cyberpedia/what-is-botnet) for distributed attacks.

Threat actors can use the RAT to steal **files and passwords** in the browser and spy on the victims via [keylogging](https://us.norton.com/blog/malware/what-is-a-keylogger#) by taking screenshots or **recording videos** using webcams while the victim is oblivious. _RATs are a common tactic in the crypto world where threat actors utilize these to steal crypto wallets and make away with their cryptocurrency._

![Email phishing protection](https://media.mailhop.org/phishprotection/images/2023/02/email-phishing-protection-6478.jpg) 

### How to Protect Against Phishing Attacks?

With the rising **cybercrimes** and novel attack campaigns, individuals need to take various approaches to tackle the **ever-changing** phishing attacks. Individuals can protect themselves against phishing attacks by taking several **preventative** measures:

- **_Be On Your Guard:_** Be cautious of unexpected emails, even if they appear to be from a legitimate source. Don’t click on any links or download attachments from **unknown** senders.
- **_Phishing Knowledge:_** Look for telltale signs of a phishing email, such as poor grammar, spelling mistakes, or a generic greeting instead of your name. Be wary of emails that create a **sense of urgency** or ask for personal information. Legitimate organizations will not typically ask for sensitive information through email.
- **_Leverage Tools:_** Use [anti-phishing](/content/anti-phishing-software/anti-phishing-techniques) and anti-malware software to protect your computer and mobile devices, as these are equipped with **advanced features** to protect you from various attacks, flag files, and automatically\*\* update\*\* all software for the latest protections.
- **_Employee Education:_** Educate yourself and your co-workers about phishing and the different types of phishing attacks. Since cybercriminals can utilize [social engineering](/phishing-awareness/social-engineering-attack-twilio-compromises-employee-accounts-customer-data) and target anyone, it would be best to make anti-phishing measures familiar and **educate the workforce**, executives, and the [C-Suite](https://www.computerweekly.com/news/252527553/C-suite-mystified-by-cyber-security-jargon).

Since threat actors are leveraging email attachments to **spread** malware, you should avoid downloading or opening such attachments. You can also go for an **anti-virus** program with a [sandbox environment](https://blog.hubspot.com/website/sandbox-environment) to run malicious files in the sandbox and stop them if they contain malware.

### Final Words

Another application and then another file. It would seem that cybercriminals are adamant about making the digital lives of netizens more **challenging**. The rising wave of cybercrimes and phishing is ever-expanding, as evident from this campaign, but individuals need to keep themselves **protected** and retaliate in the best possible way.

_Fighting cybercriminals and protecting your systems and businesses from such threats is easy if you know what to do and how to respond._ It would be best to keep yourselves updated with [phishing protection](/) latest trends to know how to protect against these threats, while organizations, especially **small businesses**, need to ensure they have **adequate** anti-phishing measures in place to ensure one of their employees doesn’t end up falling victim to a phishing campaign, jeopardizing the information assets of the entire organization .

## Topics

[ Cybersecurity ](/tags/cybersecurity/)[ Phishing ](/tags/phishing/)[ Phishing Awareness ](/tags/phishing-awareness/) 

![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Protect your inbox from phishing attacks

Real-time email security with 60-day free trial. No credit card required.

[Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) 

## Related Articles

[  Intermediate 5m  American Airlines Suffers Employee Email Data Breach, Personal Information at Risk  Oct 4, 2022 ](/blog/american-airlines-suffers-employee-email-data-breach-personal-information-risk/)[  Intermediate 5m  BitRAT Malware Threat Actors Leveraging Stolen Columbian Cooperative Bank Data in Phishing Campaign  Jan 18, 2023 ](/blog/bitrat-malware-threat-actors-leveraging-stolen-columbian-cooperative-bank-data-in-phishing-campaign/)[  Intermediate 5m  Find Out About the Latest Case of Threat Actors Utilizing Phishing-as-a-Service to Steal $120,000  Feb 20, 2023 ](/blog/find-out-about-the-latest-case-of-threat-actors-utilizing-phishing-as-a-service-to-steal-120000/)[  Intermediate 5m  GoDaddy Customers Beware: Hackers Have Been Stealing Source Code for Years  Mar 6, 2023 ](/blog/godaddy-customers-beware-hackers-have-been-stealing-source-code-for-years/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Threat Actors Using Malicious OneNote Attachments to Spread Malware via Phishing Emails","description":"Threat Actors Using Malicious OneNote Attachments to Spread Malware via Phishing Emails: Threat actors have switched to a new type of file for their.","url":"https://phishprotection.com/blog/threat-actors-using-malicious-onenote-attachments-to-spread-malware-via-phishing-emails/","datePublished":"2023-02-01T08:25:04.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2023-02-01T08:25:04.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/threat-actors-using-malicious-onenote-attachments-to-spread-malware-via-phishing-emails/"},"articleSection":"intermediate","keywords":"Cybersecurity, Phishing, Phishing Awareness","wordCount":1214,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2023/10/Email-Phishing-Statistics.png","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"Why are Threat Actors Using OneNote Attachments to Drop Malware?","acceptedAnswer":{"@type":"Answer","text":"Microsoft **disabled** default macros that were used in Office documents to thwart the attack campaigns where [cybercriminals](/blog/cybercriminals-are-duping-millions-of-accounts-in-the-latest-facebook-phishing-campaign/) leveraged Word and Excel."}},{"@type":"Question","name":"What can the OneNote Attachment Delivered RATs do to Your System?","acceptedAnswer":{"@type":"Answer","text":"The malware that is installed on the **victim's devices** is highly sophisticated software that allows the threat actors to gain **unauthorized access** and control over a victim's computer and exfiltrate information, allowing the threat actors to **steal** sensitive information, install addition..."}},{"@type":"Question","name":"How to Protect Against Phishing Attacks?","acceptedAnswer":{"@type":"Answer","text":"With the rising **cybercrimes** and novel attack campaigns, individuals need to take various approaches to tackle the **ever-changing** phishing attacks. Individuals can protect themselves against phishing attacks by taking several **preventative** measures:"}}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://phishprotection.com/intermediate/"},{"@type":"ListItem","position":4,"name":"Threat Actors Using Malicious OneNote Attachments to Spread Malware via Phishing Emails","item":"https://phishprotection.com/blog/threat-actors-using-malicious-onenote-attachments-to-spread-malware-via-phishing-emails/"}]}
```