OneNote Used To Sidestep Phishing Detection

Microsoft’s OneNote known for its’ simple note-taking and digital organizing features was recently on the headlines for perhaps the wrong reasons. Discovered by Cofense, Microsoft OneNote was used recently to target victims with a phishing campaign. The digital notebook was used to perpetuate the “Agent Tesla keylogger”.

As reports suggest, the digital app that can save and sync notes hassle-free was used to outmaneuver detection tools and progressively download malware software into any victims’ computer.



This leverage used by the attacked was key as OneNote is easy to experiment with and its features allow for such experiments to prosper. The ease of use and accessibility feature enables such cyber attacks to take place.

The hacker delivered a luring technique to steal credentials from the victim by bringing them to a landing page (phishing page) that started with them posing as a  marketing executive who had sent a link sent to the victims’ email containing a link to a OneNote document. This usually was an invoice or some other document that at first glance seemed pretty harmless. Once the victim clicked the link to access the document, the so-called “phishing notebook” through various intrusion methods helped evade email security controls. Agent Tesla keylogger enabled that.

Weeks of research and tracking cyber footprints revealed that the attacker was using a “swapped-layout” mechanism of the OneNote page to deliver his/her phishing campaign.

Taking advantage of OneNote

Researchers claimed that the use of OneNote to deliver this phishing campaign was indeed indigenous. As it allowed the attacker to easily change the various templates and inturn adapt to a different one based on the victim profiles.

OneNote as a digital note-taking application has ready accessibility that needs no maintenance and basically acts as a free database that can be of potential threat to cybercriminals. The downside is that the services have led to illegal and criminal activity in the past and that is why Microsoft needs to course check with these types of applications.

keylogger 540x270 1

Having said that, the success rate of this phishing campaign is undisclosed yet and sources are yet to lock a figure.

- Advertisement -

An Architect by profession & practice, Pranita is a keen observer and specialises in content, visualisation, and presentation. Cyber attacks & Architecture Technology in the far more technologically-advanced world made her realise that there is a lack of necessary awareness among people. Hence, keeping you all updated and protected by all means with subjects from Architecture Technology to Security Awareness.Currently working as a Head of Content, content writer & creator at BLARROW.TECH

- Advertisement -

Latest articles

Related articles