[German]Since Microsoft and Windows system administrators are investing more in macro security, attacks via this vector are becoming more difficult. Cybercriminals are looking for new ways to deliver malware to users. OneNote occupies a prominent position as a gateway – but other files and the Mark of the Web vulnerability in Windows have also been increasingly used for attacks recently.
OneNote as an attack vector
The The colleagues at Bleeping Computer had already pointed out in January 2023 in the post Hackers now use Microsoft OneNote attachments to spread malware that cybercriminals are using Microsoft OneNote attachments to spread malware. The basis for this warning is a blog post by SpiderLabs, which in December 2022 had come across Trojans being spread in OneNote files with the .one extension as email attachments.
If the user opens this attachment, it opens in OneNote. If the user clicks away a warning that a file is being opened from OneNote, a Windows Script file script embedded in the .one file can be executed. This is then capable of causing further mischief.
The colleagues at Bleeping Computer gave advice on how administrators can disarm OneOnet as a gateway for malware in their article How to prevent Microsoft OneNote files from infecting Windows with malware. The group policies can be found in the Microsoft 365/Microsoft Office group policy templates. The required policies are described in Bleeping Computer's post.
In April 2023, Microsoft plans to implement improved protection against phishing in OneNote, as they explain in the document Microsoft 365/Microsoft Office group policy templates from March 10, 2023. The colleagues from Bleeping Computer have pointed this out here.
Starting in March 2023, Microsoft also plans to begin blocking Excel XL add-ins from the Internet in an effort to eliminate an increasingly popular attack vector for cybercriminals. Bleeping Computer has covered this within the blog post Microsoft Excel now blocking untrusted XLL add-ins by default.
Warnings and findings from Sophos
In parallel, a series of tweets from security vendor Sophos just came to my attention, also addressing new attack avenues for malware distribution, after Microsoft increased macro security. In October 2022, Sophos pointed out in the following tweet and this post that threat actors are using archive files and ISO files to get malware past Microsoft's security mechanisms via the Mark of the Web vulnerability.
I wrote something about the Mark of the Web (MotW) issue in the blog post Windows and the "Mark of the Web" (MotW) security problem. In a series of recent tweets, the Sophos X-Ops team points out that ransomware group is using OneNote and its .one files as an entry vector for malware.
In this blog post, Sophos describes how the attackers are infecting OneNote notebooks to spread malware. The cybercriminals' campaigns rely on social engineering to trick users into opening .ONE files with a variety of embedded files (HTA, BAT, VBS, WSF, EXE, JSE, CPL, CHM and more). Security researchers expect these files to become even more diverse. Here is a recent Qakbot example from the Sophos blog post.
Sophos security researchers detected initial, minor activity in mid-December 2022, which increased in January 2023. It wasn't until the major spammers became active in February 2023 that the floodgates really opened for malware distribution via this vector. So administrators should keep an eye on the issue and use the Office guidelines outlined above to disable embedded active content in OneNote notebooks.
Windows: 0Patch micropatch for MotW bypassing 0-day (no CVE)
Microsoft Security Update Summary (November 8, 2022)
Microsoft Security Update Summary (December 13, 2022)
Windows and the "Mark of the Web" (MotW) security problem
Cookies helps to fund this blog: Cookie settings