2 min

The move intends to bypass Microsoft security restrictions and infect more targets. Emotet is a notorious malware botnet that has historically been distributed through Microsoft Word and Excel attachments that contain malicious macros.

If a user opens the attachment and enables macros, a DLL will be downloaded and executed that installs the Emotet malware on the device. Once loaded, the malware will steal email contacts and email content for use in future spam campaigns.

It will also download other payloads that provide initial access to the corporate network. This access is used to conduct cyberattacks against the company, which could include ransomware attacks, data theft, cyber espionage, and extortion.

Emotet botnet is back

After three months of inactivity, the Emotet botnet suddenly turned back on. It spewed malicious emails worldwide earlier this month in an initial campaign that was flawed as it continued to use Word and Excel documents with macros. As Microsoft now automatically blocks macros in downloaded Word and Excel documents, including those attached to emails, this campaign would only infect a few people.

Due to this, Emotet switched to Microsoft OneNote files, which have become a popular method for distributing malware since Microsoft began blocking macros.

In an Emotet spam campaign first spotted by security researcher abel, the threat actors have now begun distributing the Emotet malware using malicious Microsoft OneNote attachments. These attachments are distributed in reply-chain emails that impersonate guides, how-tos, invoices, job references, and more.


Attached to the email are Microsoft OneNote documents that display a message stating that the document is protected. It then prompts you to double-click the ‘View’ button to display the document properly.

If the user clicks on the OK button, the embedded click.wsf VBScript file will be executed using WScript.exe from OneNote’s Temp folder.

Emotet will now quietly run on the device, stealing email, and contacts, and awaiting further commands from the command-and-control server. Microsoft will be adding improved protections in OneNote against phishing documents, but there is no specific timeline for when this will be available to everyone.

Also read: Law enforcement wipes out Emotet malware with self-destruct code