Over the last month, the team has observed an increase in campaigns utilizing OneNote to spread malware. Threat actors have pivoted to use malicious OneNote notebooks with embedded attachments to execute code on target systems. It is believed that this tactic has become more prevalent following Microsoft's announcement about plans to disable Office macros and Excel XLM4 attachments from external sources such as emails, internet, etc..
The team continuously analyzes samples and conducts threat-hunting campaigns to stay ahead of these attacks. As always, customers will be notified privately of relevant threats found during threat hunting efforts.
To combat this, the team has implemented a new analytic to the Hunters platform named "Commonly Abused Binary Executed by OneNote Application", which detects such malicious behavior, including a dedicated scoring layer to prioritize high-severity alerts.