New use of Emotet malware within Microsoft OneNote attachments aims to help cybercriminals evade detection

James Dyer | 24th Mar 2023

Since March 2nd, 2023, intelligence from the Egress Intelligent Email Security platform shows Emotet malware being used within Microsoft OneNote attachments, as cybercriminals evolve their attacks in attempts to avoid detection.

Emotet is sophisticated malware primarily used for stealing sensitive information, such as credentials, from the machines it infects. Emotet typically spreads through malicious attachments or links contained within phishing emails, and once it has infected a system, it can also spread to other machines on the network.

Emotet is known for being highly sophisticated and very difficult to combat because of its ‘worm-like’ features that enable network-wide infections. Additionally, Emotet uses modular dynamic link libraries (DLL) to continuously evolve and update its capabilities. This malicious malware has been used in a variety of cyberattacks, varying from ransomware attacks to credential theft. It is considered one of the most dangerous and costly form of malware.

In response to Microsoft blocking macros within documents (a previously popular mechanism for spreading malware, including Emotet), cybercriminals are using OneNote attachments instead. These attachments have been disguised as ‘harmless’ attachments, such as invoices and job references.

Quick attack summary

Vector and Type: Email phishing

Techniques: Social engineering, brand impersonation

Payload: OneNote file attached to phishing emails that contain a fake invoice with an embedded .wsf file filled with virtual basic (VB) code

Targets: Organizations globally

Bypassed SEG: Yes

Platform: Microsoft 365

The phishing emails are sent from lookalike, spoofed domains that impersonate reputable organisations. As OneNote files are frequently attached to emails for legitimate purposes, this familiarity increases the likelihood of the target interacting with the payload. Once they have opened the file, victims are instructed to double-click on a ‘View’ button, which contains the malicious script.

What the Emotet/OneNote phishing emails look like

The attacks seen by our Cyber Analysts to disguise and send Emotet malware were created using a very basic HTML template. This contains a few lines of text and impersonates the UK CEO of Santander Bank in the ‘From’ address. The attacks appear to be sent from a spoofed domain (@santander.co.uk), as all email authentication fails.

In the example below, the cybercriminal uses a common social engineering tactic of an arbitrary deadline (‘This is an urgent invoice that needs to be paid ASAP!’) to increase pressure on the target, trying to force them to act fast and without thinking about, or validating what they are doing.

Phishing email containing Emotet malware within a OneNote attachment, leverage impersonation of the UK CEO of Santander Bank

Phishing email containing Emotet malware within a OneNote attachment, leverage impersonation of the UK CEO of Santander Bank

In the payload shown below, when they open the attachment, the target is taken to what appears to be a legitimate OneNote file with a blurred, ‘protected’ invoice in the background. The pop-up within the document advises the user to double click on the ‘View’ button to display the content properly.

Screengrab of OneNote file malicious payload, when opened a fake notification is displayed with a malicious script run on the victims’ machine when the ‘View’ button is clicked.

Screengrab of OneNote file malicious payload, when opened a fake notification is displayed with a malicious script run on the victims’ machine when the ‘View’ button is clicked.

Microsoft OneNote’s features allows users to create documents with design elements that overlay an embedded document. However, when a user double clicks on the location of the embedded file, even if there are design elements over them, the files will still open.

In this specific Emotet malware attack, the cybercriminals have hidden a malicious VBScript file called ‘view.wsf’ underneath the ‘View’ button in the fake OneNote pop up – when the victim clicks the button, they unintentionally run the VBScript on their machine.

Screengrab of OneNote file malicious payload, when opened a fake notification is displayed with a malicious script run on the victims’ machine when the ‘View’ button is clicked.

Malicious VBScript file is hidden underneath a fake OneNote pop up.

Microsoft OneNote will still prompt the victim with a legitimate warning message when the embedded file underneath the view button is clicked. If the victim clicks ‘OK’, the malicious script will launch.

Legitimate Microsoft warning

Legitimate Microsoft warning

Our Cyber Analysts investigated this file within a sandbox environment and found:

  • The VBScript contained an obfuscated script that appears to download a Dynamic Link Library (DLL) (which is a file type containing reusable data and code that can be used simultaneously by multiple programs)
  • The DLL is then executed using an .exe from OneNote’s temporary folder Once the script has downloaded the Emotet malware as a DLL, this is stored within the temporary OneNote folder location
  • This will then launch the DLL using ‘regsvr32.exe’, which will allow Emotet to quietly run on the victim’s machine, stealing contacts, emails, passwords and waiting for further commands from the command-and-control server.

Once Emotet has successfully infected one machine on the network, it can now use this machine as a pivot to spread to others on the network by exploiting vulnerabilities, infecting shared drives, email harvesting, and using brute force methods to try  crack passwords for other machines on the network.

Egress analysis

This attack demonstrates the sophistication of Emotet malware and how phishing can be used as an easy way to infect an initial machine.

Emotet malware was widely distributed in 2022, often seen embedded in Microsoft’s macros within Word and Excel files. This attack method, however, was curbed by Microsoft automatically blocking macros from downloaded files. The evolution to using OneNote to deliver the malicious payload enables cybercriminals to work around this update. In addition, the use of a usually benign application (OneNote) and malicious VBS payload means the attack can bypass traditional email security technologies that use signature-based detection to identify known payloads.

Similar to using Word and Excel files, using a real OneNote file gives the attachment a benign and familiar appearance, lowering the target’s suspicions that they are interacting with a malicious payload. Additionally, the use of OneNote enables the cybercriminal to effectively hide their malicious scripts underneath a highly stylized but fake warning, increasing the likelihood that their victim will be deceived.

While Microsoft will still deliver their warning when the user clicks on the ‘View’ button, most non-technical users may not acknowledge or understand this message and will likely click on the ‘OK’ button to simply get rid of the alert. Additionally, this is a familiar alert that pop ups across numerous attachments, with this familiarity again lowering suspicions and increasing the chance that the user will simply ‘click through’. Additionally, some users already having ticked the ‘Do no show this again’ button, rendering the warning useless in this scenario.

Finally, in the attacks our Cyber Analysts have analyzed, the cybercriminals use highly effective social engineering tactics, including impersonation, to increase the attacks’ credibility, lower targets’ suspicions, and manipulate targets into acting quickly. The simplicity and believability of the phishing emails used to deliver the Emotet payload is concerning for organizations given the damage this malware can do.

Advice for staying safe from these phishing attacks

As with any new trending attacks, it is important that people are aware of the phishing emails that are being used by cybercriminals and should be advised to treat any emails containing OneNote attachments with increased caution at this time. If they have any doubts about the legitimacy of the attachment, users should contact their Security teams or find another way to contact the sender to double check the attachment is safe to open.

However, it is unrealistic to expect employees to detect all phishing emails, particularly highly convincing attack that use social engineering, so it is important that organizations have advanced security controls in place. We recommend they invest in integrated cloud email security (ICES) solutions, such as Egress Defend, that deliver intelligent detection capabilities for advanced phishing attacks. Additionally, these solutions can provide real-time teachable moments to improve security awareness and training across the organization.

Microsoft has also confirmed it will be adding improved protections within OneNote against this type of phishing attachments, but a timeline for this has not been released yet.

In the meantime, Windows admins can configure group policies within their organizations to block all embedded files within OneNote. Below shows a screenshot example of where admins can configure the group policy for OneNote.