Take Note: Armorblox Stops OneNote Malware Campaign

Lauryn Cash
Written by Lauryn Cash
Threat Research /
Take Note: Armorblox Stops OneNote Malware Campaign

In a world where we are constantly bombarded with emails and files, the differentiation between the genuine and the malicious becomes more obscure. Recently, a malware attack campaign has been making waves, spreading its infection through a seemingly innocuous attachment disguised as a OneNote file.

In today’s Blox Tale, we'll take a deep dive into this malicious malware attack campaign that Armorblox accurately identified and stopped, protecting more than 15,000 end users from unknowingly engaging. Explore the dark underbelly of this attack as we uncover the tactics used by the attackers and shed light on the consequences for those who fell victim.


Mailboxes: More than 15,000 mailboxes

Target: Multiple organizations across industries

Email security bypassed: Microsoft Office 365 Email Security & leading Secure Email Gateway

Techniques used: Social engineering, vendor impersonation, attachment containing malware

The Malicious Software Attack Campaign

Over the course of the month, Armorblox has seen a re-emergent of the Qakbot malware campaign. These email attacks contain malicious software disguised as a OneNote file attachment. Across all malware attacks that Armorblox successfully identified and remediated, these incidents have similar characteristics:

  1. The email looks to be coming from a trusted vendor or service provider
  2. The email uses financial-based language talking about the execution of a sale
  3. The email includes OneNote file attachment

Below we see a couple of examples of emails within this malware campaign:

Fig 1: Example of Malware Attack with OneNote Attachment

Fig 2: Example of Malware Attack with OneNote Attachment

In both emails above, the language used across the subjects paint the picture that a purchase has been completed, RE: Purchase Order and RE: SOLD. The attacker aims to create a sense of urgency in unsuspecting victims by claiming that their review of an order is required as soon as possible. If victims receive an email of this sort unexpectedly, the likelihood of that email being opened, read, and engaged with is higher – and this is exactly what the attacker wants.

Upon opening the email, victims are presented with a simple-bodied email designed to look like a follow-up to a previous discussion. As victims read this language-based email, they are prompted to open the attachment to review the details of the order to which it seems has already been completed.

The OneNote file attachment seen across all emails within this malware attack campaign contains Windows Command Script (.cmd), which when opened initiates the encoded powershell command to download the Qakbot payload onto the victim’s environment, in order to steal sensitive information across user files and browser.

Fig 3: Qakbot Malware Campaign Attack Flow

For unsuspecting victims, opening a seemingly harmless OneNote file attachment initiates the following:

  1. VB Script code (base64) encoded inside an MS OneNote file
  2. Embedded windows command script (.cmd) invokes powershell and connects to URLs with last directory name ending in image type file extensions(.gif, .png)
  3. Malicious payload RAT (Remote Access Trojan) in the form of a DLL file (Dynamic Linking Library) is automatically downloaded from these URLs on the victim’s device - checking for PuTTY in the program data folder of the user to connect

The Power of Armorblox

The malware attack campaign bypassed both native Microsoft Office 365 and leading SEG email security controls. Spoofing trusted vendor contacts, these language-based email bodies seem innocent to unsuspecting victims. Legacy tools that rely on known malware attributes and techniques to stop malicious software attacks failed to catch this previously unseen, targeted malware attack.

Attackers created new domains in order to execute this attack campaign that contained malware, bypassing legacy solutions that only look at email authentication checks. Microsoft marked this email as safe (and assigned an SCL score of 1) which would have delivered it to more than 15,000 user inboxes. Fortunately, these end users are protected by Armorblox, who accurately detected this email attack with a malicious attachment containing malware.

Fig 4: Armorblox OneNote Attachment Malware Analysis

Armorblox uses ML-based detection models to accurately identify targeted malware and advanced persistent threats that target organizations and end users, which is outside the breadth of security layers provided by legacy solutions that only utilize known attributes. Armorblox ML-based models coupled with NLU to understand both the content and context of email communications adds the necessary layer of malware protection organizations need by looking at the email in its entirety; understanding communication trends and workflows to better detect and protect end users against advanced email threats.

Attackers posed as trusted vendors and suppliers in order to get victims to engage. Armorblox automatically identified that these emails were impersonating legitimate vendor relationships, another protection layer that legacy security tools do not have the capability to provide to customers. Armorblox identifies vendor and supply chain relationships in real-time based on contextual information and language and behavior signals indicative of a vendor relationship including, business email workflows involving invoices, wire transfers, or bank account information, new product or service confirmation emails, and communications around contract negotiations. These vendor relationship behavior baselines are created and monitored through various signals and automatically flagged when anomalous behaviors are identified.

MITRE Attack Matrix TTPs being targeted:

Below are some of the TTPs from the MITRE Att&ck matrix which is targeted by this campaign from the end-to-end flow.

Initial Access: Spearphishing Attachment (T1193)

Execution: PowerShell (T1086), Exploit Public-Facing Application (T1190)

Persistence: Registry Run Keys / Startup Folder (T1060)

Defense Evasion: Obfuscated Files or Information (T1027)

Credential Access: Credential Dumping (T1003)

Collection: Data from Local System (T1005), Browser History (T1212)

Command and Control: Command and Control (T1043)

Lateral Movement: Remote Services (T1021)

Exfiltration: Exfiltration Over Command and Control Channel (T1041)

Indicators of Compromise:

Below is the list of some of the files and URLs to look out for to detect or prevent this campaign.






[https://] somosacce[.]org/aswyw/01[.]gif

[https://] qualityrepairatdoor[.]com/lmSQNui/01[.]png

Learn how Armorblox protects your organization from targeted malware attacks.

Take Product Tour

Read This Next