Sublime Security

Sublime Core Feed
OneNote
Learn More
Login to Sublime
Attack Types
BEC/Fraud
Callback Phishing
Credential Phishing
Extortion
Malware/Ransomware
Reconnaissance
Spam
Tactics and Techniques
Encryption
Evasion
Exploit
Free email provider
Free file host
Free subdomain host
HTML smuggling
Image as content
Impersonation: Brand
Impersonation: Employee
Impersonation: VIP
IPFS
ISO
LNK
Lookalike domain
Macros
OneNote
Open redirect
Out of band pivot
PDF
Punycode
QR code
Scripting
Social engineering
Spoofing
Detection Methods
Archive analysis
Content analysis
Computer Vision
Exif analysis
File analysis
Header analysis
HTML analysis
Javascript analysis
Macro analysis
Natural Language Understanding
Optical Character Recognition
OLE analysis
PDF analysis
QR code analysis
Sender analysis
Threat intelligence
URL analysis
URL screenshot
Whois
XML analysis
YARA
Tactic or Technique: OneNote
Attackers use OneNote files to hide malware or phishing links inside interactive elements like buttons, images, or text boxes. These files are often sent as attachments with subject lines about invoices, shipping updates, or other urgent business topics.
When opened, the page may look like a login screen or document preview and prompt you to click. That click can launch a PowerShell script, download malware, or redirect you to a phishing site.
This tactic works because OneNote files often bypass security filters that focus on more traditional attachments like Word or PDFs. Most tools don’t scan them as deeply, which gives attackers a way to evade detection and gain a foothold in your environment.
Blog Post
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction · Blog · Sublime Security
This post will cover a brief timeline of QakBot’s evolution, and focus primarily on recently observed attack techniques. We’ll discuss detection methodologies and share MQL rules that anyone can use to detect, prevent, and hunt for these threats in email environments today. If you're already running Sublime, you received these new protections automatically.
Attack Types (3):
Credential Phishing
Malware/Ransomware
BEC/Fraud
Detection Methods (8):
Header analysis
URL analysis
Sender analysis
Archive analysis
Content analysis
File analysis
YARA
HTML analysis
Rule Name & Severity
Last Updated
Types, Tactics & Capabilities
Link: SharePoint OneNote or PDF link with self sender behavior
6d ago
Feb 27th, 2026
Sublime Security
Credential Phishing
Evasion
Free file host
OneNote
PDF
Header analysis
URL analysis
Sender analysis
Credential Phishing
Evasion
Free file host
OneNote
PDF
Header analysis
URL analysis
Sender analysis
/feeds/core/detection-rules/link-sharepoint-onenote-or-pdf-link-with-self-sender-behavior-588e7203
Attachment: Malicious OneNote commands
1mo ago
Jan 12th, 2026
@Kyle_Parrish_
Malware/Ransomware
OneNote
Scripting
Archive analysis
Content analysis
File analysis
YARA
Malware/Ransomware
OneNote
Scripting
Archive analysis
Content analysis
File analysis
YARA
/feeds/core/detection-rules/attachment-malicious-onenote-commands-7319f0eb
Sharepoint link likely unrelated to sender
1mo ago
Jan 12th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
Impersonation: Employee
Lookalike domain
OneNote
PDF
Social engineering
URL analysis
Sender analysis
Header analysis
HTML analysis
BEC/Fraud
Credential Phishing
Impersonation: Employee
Lookalike domain
OneNote
PDF
Social engineering
URL analysis
Sender analysis
Header analysis
HTML analysis
/feeds/core/detection-rules/sharepoint-link-likely-unrelated-to-sender-6870f489
Suspicious SharePoint file sharing
7mo ago
Aug 5th, 2025
Sublime Security
Credential Phishing
Free email provider
Free file host
OneNote
PDF
Content analysis
Header analysis
Sender analysis
URL analysis
Credential Phishing
Free email provider
Free file host
OneNote
PDF
Content analysis
Header analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/suspicious-sharepoint-file-sharing-971c3d9c
Link: Uncommon SharePoint document type with sender's display name
7mo ago
Aug 5th, 2025
Sublime Security
Credential Phishing
Social engineering
OneNote
PDF
Content analysis
Header analysis
HTML analysis
URL analysis
Credential Phishing
Social engineering
OneNote
PDF
Content analysis
Header analysis
HTML analysis
URL analysis
/feeds/core/detection-rules/link-uncommon-sharepoint-document-type-with-senders-display-name-02d290b2

Rule Name & Severity	Last Updated	Author	Types, Tactics & Capabilities
Link: SharePoint OneNote or PDF link with self sender behavior	6d ago Feb 27th, 2026	Sublime Security	Credential Phishing Evasion Free file host OneNote PDF Header analysis URL analysis Sender analysis	/feeds/core/detection-rules/link-sharepoint-onenote-or-pdf-link-with-self-sender-behavior-588e7203
Attachment: Malicious OneNote commands	1mo ago Jan 12th, 2026	@Kyle_Parrish_	Malware/Ransomware OneNote Scripting Archive analysis Content analysis File analysis YARA	/feeds/core/detection-rules/attachment-malicious-onenote-commands-7319f0eb
Sharepoint link likely unrelated to sender	1mo ago Jan 12th, 2026	Sublime Security	BEC/Fraud Credential Phishing Impersonation: Employee Lookalike domain OneNote PDF Social engineering URL analysis Sender analysis Header analysis HTML analysis	/feeds/core/detection-rules/sharepoint-link-likely-unrelated-to-sender-6870f489
Suspicious SharePoint file sharing	7mo ago Aug 5th, 2025	Sublime Security	Credential Phishing Free email provider Free file host OneNote PDF Content analysis Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/suspicious-sharepoint-file-sharing-971c3d9c
Link: Uncommon SharePoint document type with sender's display name	7mo ago Aug 5th, 2025	Sublime Security	Credential Phishing Social engineering OneNote PDF Content analysis Header analysis HTML analysis URL analysis	/feeds/core/detection-rules/link-uncommon-sharepoint-document-type-with-senders-display-name-02d290b2