Show threadAndrew BrandtAug 29, 2023

Here was our followup research, when the #Qakbot #malware criminals began to abuse #OneNote files as malicious attachments (#maldocs).

https://news.sophos.com/en-us/2023/02/06/qakbot-onenote-attacks/

Qakbot mechanizes distribution of malicious OneNote notebooks

A large-scale “QakNote” attack deploys malicious .one files as a novel infection vector

Sophos News
Show threadAndrew 🌻 Brandt 🐇Feb 6, 2023

@SophosXOps
Our coverage of this #malware campaign includes a breakdown of the attack chain, IOCs, and some other curious details -- such as the fact that the embedded graphic elements were originally added to the document using filenames in the Russian language. "Curious," that.

People unfamiliar with OneNote as a weaponized document format should get used to this; #QakNote #maldocs are probably here to stay -- at least, until mail server admins decide to block all inbound .one attachments. 6/6

https://news.sophos.com/en-us/qakbot-onenote-attacks/

Qakbot mechanizes distribution of malicious OneNote notebooks

A large-scale “QakNote” attack deploys malicious .one files as a novel infection vector

Sophos News
MathieuBFeb 5, 2023
The Defender's Guide to #OneNote #MalDocs
https://opalsec.substack.com/p/the-defenders-guide-to-onenote-maldocs
The Defender's Guide to OneNote MalDocs

Who's abusing it, and how to mitigate it in your environment

Opalsec