When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Cybercriminals are now exploiting OneNote to spread malware

For the longest time, cybercriminals have been exploiting the macro feature in Office applications like Word and Excel to infect unsuspecting users' PCs with malware. They typically do this by injecting malicious macro code into a legitimate Word or Excel document, then convincing users to enable macros to allegedly display the file properly. However, this only allows the malware to wreak havoc on the victim's PC.

Microsoft is aware of this behavior by threat actors, so they eventually blocked macros in Office documents by default. However, cybercriminals are now using another app to trick users into infecting their own PCs with malware: digital note-taking app OneNote.


As reported by BleepingComputer, cybercriminals have been found sending phishing emails that purportedly contain DHL invoices, remittance forms, shipping notifications and documents, and mechanical drawings. Instead of using macros, which OneNote does not support, cybercriminals are exploiting OneNote's ability to attach files within a notebook.

They do this by attaching malicious VBS files onto a OneNote notebook. When double-clicked, these files automatically download and install malware from a remote site. To conceal them and make the OneNote document look as legitimate as possible, threat actors overlay a "Double click to view file" box over them.

Behind that "Double Click to View File" button are the malicious files.

This means that clicking on the box will launch the malicious files, which will install malware onto the device. And while OneNote will warn users that opening attachments could harm the user's computer and data, many users might just ignore the warning and click "OK" anyway.

In the emails seen by BleepingComputer, the malicious OneNote documents typically install remote access trojans that can steal sensitive information and cryptocurrency wallets. Others can even take screenshots and record video using the victim's webcam.

To protect yourself from these attacks, do not open unsolicited emails from people you do not know. Also, make sure that your antivirus software is updated so it can properly detect malware and remove it from your system.

Source and images: BleepingComputer

Report a problem with article
A white Spotify logo on a blue and purple background
Next Article

Report: Spotify to lay off some of its employees this week

The new Ubuntu logo
Previous Article

Ubuntu 18.04 LTS and Linux Mint 19.x users should upgrade as support ends this April

Join the conversation!

Login or Sign Up to read and post a comment.

5 Comments - Add comment