Microsoft OneNote attachments leveraged for Emotet distribution

Microsoft's move to block macros by default has prompted threat actors to use reply chain emails with Microsoft OneNote attachments to facilitate the distribution of Emotet malware, reports BleepingComputer. Malicious Microsoft OneNote documents used in the new Emotet malware campaign display a message indicating a protected file that requires double-clicking the "View" button, which features a malicious VBScript file that downloads and executes a DLL from a remote website, noted security researcher abel. Avoiding Microsoft OneNote's warning to launch the embedded file would prompt execution of the VBScript file through WScript.exe in OneNote's Temp folder, with Emotet downloaded and stored in the same folder before the deployment of the regsvr32.exe DLL. No other information regarding other payloads deployed in the new Emotet campaign has emerged but previous Emotet campaigns involved the distribution of Cobalt Strike and other malware. Increasingly prevalent malware attacks exploiting OneNote have prompted Microsoft to strengthen phishing protections in the platform.