cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Onenote Files used in Malware attacks

Joshua Bines
Iron Contributor

‎Mar 09 2023 03:52 AM

‎Mar 09 2023 03:52 AM

Onenote Files used in Malware attacks

Hi Folks, 

 

Any comments or recommendations regarding the increase of attacks via onenote files as noted in the below articles? I'm seeing a increased number of recommendations for blocking .one and .onepkg mail attachments. One issue is onepkg files currently cannot be added to the malware filter. 

 

Microsoft OneNote Abuse for Malware Delivery Surges - SecurityWeek

Detecting OneNote Abuse | WithSecure™ Labs

 

B

Joshua

 

 

29.4K Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by Joshua Bines (Iron Contributor)
Joshua Bines

‎Mar 13 2023 02:23 AM - edited ‎Mar 13 2023 07:51 AM

‎Mar 13 2023 02:23 AM - edited ‎Mar 13 2023 07:51 AM

Solution

Re: Onenote Files used in Malware attacks

Thanks, yes I've read that one but I wonder if this is really needed if you have edr in block mode for example. I was hoping for a response from MS regarding this uptick in onenote malware and how these attacks can be mitigated by defender.

 

Here is my compiled list: 

 

  • Block ‘.one’ '.onenote' and '.onepkg' attachments at the network perimeter or with an anti-phishing solution if ‘.one’ files are not business-critical. Email and Web Proxy if possible. 
  • Block All Office Applications From Creating Child Processes (Microsoft Defender)
    • Recommend preventing all Office applications from creating child processes using Attack Surface Reduction(ASR) rules.
    • Run the PowerShell command: Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
    • This rule can also be set to ‘audit mode’ by changing ‘Enable’ to ‘AuditMode’' in the PowerShell command. This change will create eventlogs, but not block processes. More information about ASR rules: can be found in the corresponding Microsoft documentation.
  • Block Office Applications From Creating Executable Content
    • Recommends preventing all Office applications from creating executable content.
    • Run the PowerShell command: Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enable
    • This rule can also be set to ‘audit mode’ by changing ‘Enable’ to ‘AuditMode’ in the PowerShell command. This change will create eventlogs, but not block processes.More information about ASR rules: can be found in the corresponding Microsoft documentation.
  • User awareness training

 

Another helpful url... https://www.rapid7.com/blog/post/2023/01/31/rapid7-observes-use-of-microsoft-onenote-to-spread-redli...

1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by Joshua Bines (Iron Contributor)
Joshua Bines

‎Mar 13 2023 02:23 AM - edited ‎Mar 13 2023 07:51 AM

‎Mar 13 2023 02:23 AM - edited ‎Mar 13 2023 07:51 AM

Solution

Re: Onenote Files used in Malware attacks

Thanks, yes I've read that one but I wonder if this is really needed if you have edr in block mode for example. I was hoping for a response from MS regarding this uptick in onenote malware and how these attacks can be mitigated by defender.

 

Here is my compiled list: 

 

  • Block ‘.one’ '.onenote' and '.onepkg' attachments at the network perimeter or with an anti-phishing solution if ‘.one’ files are not business-critical. Email and Web Proxy if possible. 
  • Block All Office Applications From Creating Child Processes (Microsoft Defender)
    • Recommend preventing all Office applications from creating child processes using Attack Surface Reduction(ASR) rules.
    • Run the PowerShell command: Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
    • This rule can also be set to ‘audit mode’ by changing ‘Enable’ to ‘AuditMode’' in the PowerShell command. This change will create eventlogs, but not block processes. More information about ASR rules: can be found in the corresponding Microsoft documentation.
  • Block Office Applications From Creating Executable Content
    • Recommends preventing all Office applications from creating executable content.
    • Run the PowerShell command: Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enable
    • This rule can also be set to ‘audit mode’ by changing ‘Enable’ to ‘AuditMode’ in the PowerShell command. This change will create eventlogs, but not block processes.More information about ASR rules: can be found in the corresponding Microsoft documentation.
  • User awareness training

 

Another helpful url... https://www.rapid7.com/blog/post/2023/01/31/rapid7-observes-use-of-microsoft-onenote-to-spread-redli...

View solution in original post

1 Like
Reply