Forum Discussion
Onenote Files used in Malware attacks
Hi Folks,
Any comments or recommendations regarding the increase of attacks via onenote files as noted in the below articles? I'm seeing a increased number of recommendations for blocking .one and .onepkg mail attachments. One issue is onepkg files currently cannot be added to the malware filter.
https://www.securityweek.com/microsoft-onenote-abuse-for-malware-delivery-surges/
https://labs.withsecure.com/publications/detecting-onenote-abuse
B
Joshua
Thanks, yes I've read that one but I wonder if this is really needed if you have edr in block mode for example. I was hoping for a response from MS regarding this uptick in onenote malware and how these attacks can be mitigated by defender.
Here is my compiled list:
- Block ‘.one’ '.onenote' and '.onepkg' attachments at the network perimeter or with an anti-phishing solution if ‘.one’ files are not business-critical. Email and Web Proxy if possible.
- Block All Office Applications From Creating Child Processes (Microsoft Defender)
- Recommend preventing all Office applications from creating child processes using Attack Surface Reduction(ASR) rules.
- Run the PowerShell command: Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
- This rule can also be set to ‘audit mode’ by changing ‘Enable’ to ‘AuditMode’' in the PowerShell command. This change will create eventlogs, but not block processes. More information about ASR rules: can be found in the corresponding Microsoft documentation.
- Block Office Applications From Creating Executable Content
- Recommends preventing all Office applications from creating executable content.
- Run the PowerShell command: Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enable
- This rule can also be set to ‘audit mode’ by changing ‘Enable’ to ‘AuditMode’ in the PowerShell command. This change will create eventlogs, but not block processes.More information about ASR rules: can be found in the corresponding Microsoft documentation.
- User awareness training
Another helpful url... https://www.rapid7.com/blog/post/2023/01/31/rapid7-observes-use-of-microsoft-onenote-to-spread-redline-infostealer-malware/
2 Replies
Joshua Bines Recommendation from bleeping computer article
https://www.bleepingcomputer.com/news/security/how-to-prevent-microsoft-onenote-files-from-infecting-windows-with-malware/
Thanks, yes I've read that one but I wonder if this is really needed if you have edr in block mode for example. I was hoping for a response from MS regarding this uptick in onenote malware and how these attacks can be mitigated by defender.
Here is my compiled list:
- Block ‘.one’ '.onenote' and '.onepkg' attachments at the network perimeter or with an anti-phishing solution if ‘.one’ files are not business-critical. Email and Web Proxy if possible.
- Block All Office Applications From Creating Child Processes (Microsoft Defender)
- Recommend preventing all Office applications from creating child processes using Attack Surface Reduction(ASR) rules.
- Run the PowerShell command: Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
- This rule can also be set to ‘audit mode’ by changing ‘Enable’ to ‘AuditMode’' in the PowerShell command. This change will create eventlogs, but not block processes. More information about ASR rules: can be found in the corresponding Microsoft documentation.
- Block Office Applications From Creating Executable Content
- Recommends preventing all Office applications from creating executable content.
- Run the PowerShell command: Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enable
- This rule can also be set to ‘audit mode’ by changing ‘Enable’ to ‘AuditMode’ in the PowerShell command. This change will create eventlogs, but not block processes.More information about ASR rules: can be found in the corresponding Microsoft documentation.
- User awareness training
Another helpful url... https://www.rapid7.com/blog/post/2023/01/31/rapid7-observes-use-of-microsoft-onenote-to-spread-redline-infostealer-malware/
