Emotet malware now distributed in Microsoft OneNote files to evade defenses

The Emotet malware is now distributed using Microsoft OneNote email attachments, aiming to bypass Microsoft security restrictions and infect more targets.

Emotet is a notorious malware botnet historically distributed through Microsoft Word and Excel attachments that contain malicious macros. If a user opens the attachment and enables macros, a DLL will be downloaded and executed that installs the Emotet malware on the device.

Once loaded, the malware will steal email contacts and email content for use in future spam campaigns. It will also download other payloads that provide initial access to the corporate network.

This access is used to conduct cyberattacks against the company, which could include ransomware attacks, data theft, cyber espionage, and extortion.

While Emotet was one of the most distributed malware in the past, over the past year, it would stop and start in spurts, ultimately taking a break towards the end of 2022.

After three months of inactivity, the Emotet botnet suddenly turned back on, spewing malicious emails worldwide earlier this month.

However, this initial campaign was flawed as it continued to use Word and Excel documents with macros. As Microsoft now automatically blocks macros in downloaded Word and Excel documents, including those attached to emails, this campaign would only infect a few people.

Due to this, BleepingComputer predicted that Emotet would switch to Microsoft OneNote files, which have become a popular method for distributing malware after Microsoft began blocking macros.

Emotet switches to Microsoft OneNote

As predicted, in an Emotet spam campaign first spotted by security researcher abel, the threat actors have now begun distributing the Emotet malware using malicious Microsoft OneNote attachments.

These attachments are distributed in reply-chain emails that impersonate guides, how-tos, invoices, job references, and more.

Attached to the email are Microsoft OneNote documents that display a message stating that the document is protected. It then prompts you to double-click the ‘View’ button to display the document properly.

Microsoft OneNote allows you to create documents that contain design elements that overlay an embedded document. However, when you double-click on the location where the embedded file is located,…