The Defender's Guide to OneNote MalDocs

Who's abusing it, and how to mitigate it in your environment

Why is it being used?

With the heyday of macro-enabled spreadsheets and documents behind us, threat actors have experimented with novel ways to deliver their payloads, including disk image files (.iso, .vhd files), HTML Smuggling (.hta files with embedded scripts), and now OneNote files.

While actors can’t embed VBA macros in OneNote files like they can with Word and Excel documents, it does provide a number of other significant advantages:

• OneNote files are not affected by Protected View/ Mark-of-the-Web;

• It allows embedding Malicious Excel/Word/PPT files that will be played without protected view;

• HTA, LNK, EXE files and more can be embedded in the document, with the extensions spoofed;

• The document can be formatted in order to trick users into opening a malicious file or a link;

• Maldoc creation can be automated using the OneNote.Application API and XML.

For a full overview of its potential, have a look at the full article assessing its viability for Red Team activities here.

Who’s using it?

…