0ddj0bbICYMI the #Glassof0J from yesterday about the #QakNote campaign.
YouTube
At 12:15pm est today you can see my analysis of the #QakNote Campaign using #OneNote to deliver #Qakbot on #Glassof0J
Qaknote Campaign | Glass of 0J
ZakReading through the Sophos Blog on #QakNote gave some opportunity for some #regex practice:
EmailAttachmentInfo
| join EmailEvents on NetworkMessageId
| where FileName matches regex @'(?:ApplicationReject_)\d{5}.\w{5}.(?:.one)' or
FileName matches regex @'(?:ComplaintCopy_)\d{5}.\w{5}.(?:.one)'
Happy Hunting ~
https://news.sophos.com/en-us/2023/02/06/qakbot-onenote-attacks/
Andrew π» Brandt π@SophosXOps
Our coverage of this #malware campaign includes a breakdown of the attack chain, IOCs, and some other curious details -- such as the fact that the embedded graphic elements were originally added to the document using filenames in the Russian language. "Curious," that.
People unfamiliar with OneNote as a weaponized document format should get used to this; #QakNote #maldocs are probably here to stay -- at least, until mail server admins decide to block all inbound .one attachments. 6/6