2 min

Security researchers warn that cybercriminals have started using OneNote attachments in phishing emails to infect victims with remote access malware, allowing attackers to steal passwords and even cryptocurrency wallets.

The tactic isn’t new, as attackers have been sending malware through malicious Word and Excel attachments for years, launching macros to download and install malware.

However, in July of this year, Microsoft disabled macros by default in Office documents, making malicious attachments less effective. As a result, attackers began using new file formats, such as ISO images and password-protected ZIP files.

These file formats quickly gained popularity, aided by a Windows flaw that allowed ISOs to circumvent security warnings and the popular 7-Zip archive utility’s failure to propagate mark-of-the-web flags to files extracted from ZIP archives.

Microsoft tackled the issue by prompting Windows to trigger security warnings when a user tries to access files in downloaded ISO and ZIP files. This did not stop malicious actors, however, who switched to a new file format: Microsoft OneNote attachments.


Threat actors use malicious OneNote attachments disguised as DHL shipping notifications, invoices, ACH remittance forms, mechanical drawings and shipping documents.

In some instances, opening OneNote attachments runs a VBS script that downloads malware from a remote site and installs it on the computer. The malware is a RAT (Remote Access Trojan) that allows attackers to control the system and steal information.

The most straightforward approach to avoiding malicious attachments is to refrain from opening files from untrusted sources. Users that open a file by accident do well to review any warnings triggered by the operating system or program.

Tip: Lateral security and XDR will be big in 2023, and here’s why