A phishing campaign was recently discovered leveraging OneNote, Microsoft’s digital notebook that automatically saves and syncs notes, to bypass detection tools and download malware onto victims’ systems.
The attacker was utilizing OneNote as a way to easily experiment with various lures that either delivered the credential-stealing Agent Tesla keylogger or linked to a phishing page – or both. The attack first started with an email to victims that contained a link to the OneNote document.
“Thanks to the ease of use and accessibility of OneNote, the threat actor was able to update a ‘phishing notebook’ multiple times a day, experiment with various intrusion methods, and improve the odds to successfully evade email security controls,” said researchers with Cofense in a Tuesday analysis. “Numerous Agent Tesla Keylogger payloads as well as links to different credential phishing websites were included in the campaign.”
The threat actor first sent an email to companies purporting to be a marketing manager sending an order invoice (Cofense did not list the scope of targets or how effective the campaign has been thus far). The link to the order request invoice was actually a tiny[.]cc link, which eventually brought victims to a OneNote document. Over the span of two weeks, researchers said that threat actors swapped out the layout of this OneNote page, cycling between four different templates to deliver a credential phishing portal and unique malware samples.
For instance, in one of the earlier template versions the page sends two URLs – one with an Office 365 credential phishing page and the other that downloads malware. Other later template versions were tweaked so that they linked to malware downloads rather than also linking to credential phishing sites.
The various OneNote versions had different lures as well. One told victims that a transfer had been successfully received from their bank invoice and told them to click on a link to view the details of the transfer (which actually downloaded malware), while another told them that their OneDrive isn’t synced with their organization’s backup, and asked them to “auto verify” in order to fix the issue — which brought them to a phishing page.
In all cases where malware was delivered, the malware was a first-stage downloader, which attempted to download an encrypted binary. This binary, the Agent Tesla keylogger, was then decrypted and run in memory. Agent Tesla, used in various campaigns over the years, collects and exfiltrates stored logins and keystrokes on victims’ systems. Interestingly, the malware tied to this specific campaign failed due to improper customization, indicating that the threat actor may be inexperienced, researchers said.
“Initially, the two first-stage malware downloaders had their encrypted payloads stored on Google Drive,” said researchers. “Newer loaders attempted to fetch payloads from a compromised host, the same host that provided the malware downloaders. The newer loaders did, however, fail to accomplish their tasks due to improper customization by the threat actor. Such error is indicative of a less-capable operator who leverages pre-made kits but falls short on modifying them.”