OneNote documents:
the rise of a new attack vector

Discover the inherent dangers of macros in the realm of cybersecurity. 

TRY VMRAY

OneNote attacks:
Navigating beyond the macros

In the ever-evolving world of cyber threats, attackers are quick to adapt their tactics to bypass security measures. Following Microsoft’s decision to block web-based macros in Office, a new attack vector has emerged: OneNote files. Once seen as a trusted note-taking application, OneNote has become a carrier of malicious payloads, presenting significant challenges for organizations aiming to protect their digital assets.

The rise of OneNote attacks showcases the ingenuity of cybercriminals in exploiting alternative file formats. Leveraging the familiarity and trust associated with OneNote, threat actors embed malicious code within seemingly innocuous notes and attachments. By doing so, they evade traditional security measures that primarily focused on macro-enabled Office documents. This necessitates a comprehensive approach to threat detection and mitigation.

To effectively defend against OneNote attacks, organizations must adopt a proactive security stance. Static analysis alone is not sufficient; dynamic analysis is needed to gain in-depth insights into the behavior of OneNote files. Through dynamic analysis, analysts, incident responders, and threat hunters can understand the connected malware families’ configurations, explore the execution of the payload, and uncover hidden malicious activities. The VMRay platform provides both static and dynamic analysis capabilities, empowering security teams to trace the threat’s footprints and respond effectively.
Macro malware using an innocent-looking Office macro to execute malicious code.
Pre-macro attack example: An Office macro is used by attackers to execute malicious code
Post-macro world attack type: a OneNote documents is received via a phishing email
Post macro attack example: A phishing email containing a OneNote document
OneNote attack: execution of the malicious code by clicking on "view" button
OneNote attack: Recipient is encouraged to click the "View" button, under which hids a malicious code

As the threat landscape evolves, organizations must recognize the significance of OneNote attacks and adapt their security strategies accordingly. By staying informed about emerging attack vectors and leveraging advanced analysis techniques, organizations can strengthen their defenses, safeguard their networks, and protect their valuable digital assets.

Uncover the secrets of a malicious OneNote attack in our insightful analysis spotlight.

Our expert threat researchers have meticulously examined a real-world attack, revealing its behavior and linking it to the infamous loader Emotet. Gain valuable knowledge about sophisticated attack techniques and enhance your understanding of how attackers can exploit OneNote documents for their delivery chain. 

Note: Our platform supports in-depth analysis of OneNote files with the 2023.2 release. You can now select OneNote as the file type of the sample you want to analyze.

VMRay's Platform file upload dialog recognizing the OneNote filetype.
OneNote attack: Recipient is encouraged to click the "View" button, under which hids a malicious code

Course home page: 
Threat Hunting in the post-macro world

Chapter 11: 
Analysis walkthrough: step-by-step analysis of an LNK file

Explore how you can benefit from VMRay's capabilities for Threat Hunting

See VMRay in action.
See the context & depth it can bring to your Threat Hunting

Take the interactive tour
Watch demo videos
Check sample reports
REQUEST FREE TRIAL NOW

Further resources

SANS WEBINAR

How to reap the benefits of Threat Hunting

Watch the full recording of our webinar delivered at SANS Solutions Forum

Watch the full recording

SOLUTION

Threat Hunting with VMRay

Explore how you can benefit from VMRay’s capabilities for Threat Hunting

Explore the solution

DATASHEET

VMRay
DeepResponse

Learn the features and benefits that make DeepResponse the best sandbox.

Download datasheet

Welcome to the playground.

Explore what you can do with VMRay.

Click on the yellow dots to check the report formats, see the overview, explore the network connections of the sample, malicious behavior, and relevant files, map the threat on MITRE ATT&CK Framework, analyze and download IOCs and artifacts.

The analysis report tabs are available both for VMRayDeepResponse and VMRayTotalInsight. The bundle of VMRay FinalVerdict and VMRayDeepResponse also offers access to the analysis report tabs.

We’re sorry. 

The interactive tour is not available on mobile devices.

REQUEST FREE TRIAL

Unveiling the power:
See our experts showcasing VMRay’s capabilities.

REQUEST FREE TRIAL
Analysis of a malicious file

Join Fatih Akar from the VMRay team as he provides a detailed walkthrough of a malicious LNK file, a prevalent attack vector since Microsoft’s Office macros block.

Gain valuable insights into each tab of our comprehensive analysis report and get a sneak peek into what you’ll be exploring.

Play Video
Analysis of a malicious URL

Join Andrey Voitenko, an expert in advanced malware and phishing analysis from the VMRay team, as he demonstrates how to submit emails and URLs to the VMRay platform using built-in connectors.

Discover the capabilities of our new Automation Dashboard, enabling one-click automation with your existing EDR, SOAR, SIEM, and TIP tools. Monitor analysis data seamlessly from your VMRay dashboard and unlock new levels of efficiency in your security operations.

Play Video
Integrating with existing tools

Watch Michael Bourton showcasing the seamless integration of VMRay platform with your existing security stacks.

Discover how effortlessly you can leverage unparalleled detection and analysis capabilities by utilizing dedicated connectors or our Rest API.

Play Video

Experience VMRay in Action:
Explore Real-world Malware Analysis Reports

Get a firsthand look at the power and capabilities of the VMRay platform by delving into our sample malware and phishing analysis reports.

Immerse yourself in a range of report formats, providing comprehensive insights.

Dive into the overview, explore intricate network connections, analyze malicious behavior in detail, and map threats using the MITRE ATT&CK Framework. See the possibilities to download clear IOCs.

Uncover the capabilities that await you.

REQUEST FREE TRIAL
Sample analysis
of Emotet
Explore
Delivery service phishing scam
Explore
Explore 1m+ in-depth analysis reports
Explore
Social media platform impersonation
Explore
Sample analysis of Lokibot
Explore
Sample analysis of BumbleBee
Explore
Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator
Try It Now