Threat actors behind the infamous Emotet malware, which recently re-emerged this month to infect users through their inboxes once again, are now exploiting Microsoft OneNote to distribute the malware and bypass Microsoft security restrictions, according to security researchers at Malwarebytes.

Since mid-December 2022, threat actors have been increasingly exploiting Microsoft OneNote files to deliver malware and compromise victims. A successful Emotet attack typically leads to the delivery of additional malware, including ransomware. In this specific Emotet OneNote campaign, researchers observed malicious attachments being delivered in reply-chain emails with subjects that purport to be how-to guides, invoices, job references, and other lures. If the user downloads the attachment and executes the hidden malicious VBScript underneath the "View" button, the script will ultimately download Emotet. The malware will then quietly run on the device, stealing email, contacts, and awaiting further commands from the command-and-control server. To help organizations proactively defend against this activity, BleepingComputer posted comprehensive guidance on how to block malicious Microsoft OneNote files (posted below). Read more at Malwarebytes Labs or at BleepingComputer.

Additional WaterISAC Reporting on the OneNote infection vector and Emotet:

• Cyber Resilience – How to Block Microsoft OneNote Files from Delivering Malware
• Threat Awareness - Use of Microsoft OneNote to Spread Malicious Payloads Rising
• Threat Awareness – Threat Actors Exploiting Microsoft OneNote Attachments to Spread Malware
• Zscaler Report - OneNote: A Growing Threat for Malware Distribution
• Threat Awareness – Keep Our Eyes on Emotet
• Threat Awareness – Emotet Returns After Four Month Break
• Emotet Employing New Tactics to Evade Detection and Infect more Victims