Cyber Vigilance Update

Today’s Connection

Cyber Engage Update - 01/02/2023 (#10) (#12) (#14) (#15) (#16)

Office Alert

Microsoft OneNote – Malware Alert.

Your OneNote file may hold more than just last week’s agenda items.

Security researchers have been monitoring the rise of a new technique for spreading malware, using Microsoft’s OneNote to deliver malicious payloads to unsuspecting victims.

Hackers have used Microsoft files to spread malware for years, especially via malicious macros shared in Excel files.

However, in 2022, Microsoft finally blocked macros from running by default. Undeterred, hackers have discovered that OneNote makes an ideal platform for their needs.

For one thing, OneNote — Microsoft’s popular note-taking application — is itself installed by default on most Windows PCs, so that OneNote files can easily be opened by most users. And if a user does not have it, it can be downloaded for free.

Researchers at Trustwave’s SpiderLabs first noticed the OneNote strategy being employed in December 2022, when their systems flagged a spam email with an attached .one file.

In this instance, the email claimed to be from the “purchasing team” at another company, with a request for a quote for some unnamed service.

The ‘Clever Part’ - AKA Technical Explanation

The clever part (Or devious part) is what happens when someone clicks on the attached OneNote file: 

  • The file first displays an image lure, which pops up asking users to “view document”. When this is clicked, not only is the file downloaded, but so is a malicious payload, in this case a data-extracting Trojan called Formbook.
  • Windows does pop up the usual warning about opening unknown attachments, but a lot of users are quite used to ignoring this.
  • Once this warning is dismissed, a Windows Script File embedded inside the OneNote runs, which in turn launches a PowerShell command that then downloads two files from command and control server with a .ru domain.
  • The first file is a legitimate OneNote, which while opening, obscures the second file, which is the Formbook malware itself.

As a result, a WSF file embedded in a OneNote document is likely to fly under the radar. 

What can you do?

Be aware that it is not typical to see .one files attached to emails.

As a mitigation measure, organisations should consider blocking or flagging inbound email attachments with a .one extension.   

This means that OneNote should be added to the list of other Office documents that need to be inspected for malicious components.


Home Alert

Fake Accounts amongst ‘Friends’.

It’s not what mates do.

The capacity of children to utilise technology and their devices to target other children either directly or indirectly is well known and never ceases to surprise. Whilst clearly producing a negative and long-lasting impact on the recipients, those perpetrating the acts are also liable for significant legal penalties and potential exposure to criminal elements.

One recent trend is the occurrence of kids (bullies) creating fake accounts in the name of another child and using it to create mischief such as sending inappropriate messages (especially to the opposite sex and younger children).

Much of this activity occurs in forums/platforms such as Instagram and Snapchat and can often go unnoticed for quite a while.

It usually becomes known when the innocent party is approached by the recipients (or their teachers/parents) and being accused of the acts.

Whilst the fake accounts can ultimately be revealed, it can take time and by then significant damage is done to those on the receiving end through broken trust, mental anguish that will continue long after the actual act has occurred.

What can you do?

The most appropriate action is to encourage your children to report any suspicious behaviour amongst their social group.

If a message is received from ‘Johnny’ and the first reaction is ‘That is not like him!’ then it most likely isn’t him.

Immediate action is the best. 

Accounts can be checked forensically, and the perpetrators can often be identified.

There are many benefits of modern technology for all users but unfortunately many abuse this and as a result we must be vigilant to protect those we love.

This week's Training module


Cyber Threat Reporting (1/1)

Cyber Security Vigilance Program

Version 16-11-2022

Cyber Security Vigilance