Attackers are using OneNote files to infiltrate systems by embedding malicious payloads, with OneNote becoming a popular option after macros were disabled.
The attack is not new, with techniques ranging from phishing to sharing OneNote files, and payloads including RATs and information stealers.
To detect and respond to these attacks, it is recommended to check strings of .one files, monitor OneNote’s child process executions, and check for suspicious use of built-in Windows binaries. Windows and 7-Zip have fixed bugs that allowed malicious file formats to bypass security warnings.
The report explores how this attack works and its potential longevity.
https://www.logpoint.com/en/blog/onenote-malicious-attachment-as-initial-vector/