New Microsoft OneNote Phishing Campaign Discovered

A new microsoft phishing campaign was found to be using Microsoft OneNote to send malicious files to unsuspecting users completely bypassing security controls on exchange servers. It is recommended that all users of Microsoft Exchange be vigilant for malicious attachments containing either .one files or links to unknown shares that could be used to share the files.

Within this campaign, hackers are uploading files to compromised SharePoint directories then sharing the malicious OneNote files in a daisy chain style attack further making the emails look legitimate. The attackers will then use the malicious OneNote files in order to upload a copy of the file to your SharePoint directory before sending out a mass email through the associated exchange account to further distribute the malware to other companies using similar software.

Some basic steps to mitigate this kind of attack are as follows.

      1. Add .one and .msg files to your exchange attachment blacklist if they are not required by your organisation. If you are not sure give us a call.

      2. Train your employees on exercising further vigilance for unknown attachments of any kind from any sender.

      3. Implement mandatory 2 factor authentication on all your employee exchange accounts to prevent unauthorized access to your employees accounts should a link accidentally be clicked

 If you or anyone you know suspects that you/they have been compromised, feel free to contact us and we can provide further advice on recovery and remidiation or even conduct an investigation into the breach to improve your security posture in the future.