- Malicious actors have now been spotted using OneNote’s attachment feature to infect systems to gain remote access.
- Once a malicious attachment is opened, the computer is vulnerable to ransomware and DDoS attacks.
- Windows users should be aware of this kind of attack and take precautions to safeguard their systems from it.
OneNote attachments seem to have become a tool for attackers to spread malware. Malicious actors use OneNote attachments to infect systems with remote access malware. Remote access malware is a type of malicious software that allows attackers to gain access to a computer system remotely. It is usually distributed through phishing emails containing malicious attachments, such as Word and OneNote documents.
Fake windows to run extensions
Once the malicious attachment is opened, the attacker can gain access to the victim’s computer system and steal sensitive information or install additional malware. Remote access malware can also be used to launch distributed denial-of-service (DDoS) attacks or ransomware campaigns. Trustwave demonstrated what this attack looks like:

Microsoft announced that it was going to block Office macros by default from the 27th of July, which helped prevent malware spreading by exploiting this method, which made malicious actors move from exploit to exploit. As a result, OneNote can now be added to the list of Office Documents that require a thorough check for malicious elements. It’s unusual to see .one file attached to emails, therefore organizations should think about blocking or marking incoming email attachments with a .one extension as a mitigation measure.
It is important for users to be aware of this type of attack and take steps to protect their systems from it. This includes being wary of any emails they receive with OneNote attachments and making sure that they only open them if they are sure it’s from a trusted source.