• OneNote

Tactic or Technique: OneNote

Attackers use OneNote files to hide malware or phishing links inside interactive elements like buttons, images, or text boxes. These files are often sent as attachments with subject lines about invoices, shipping updates, or other urgent business topics.
When opened, the page may look like a login screen or document preview and prompt you to click. That click can launch a PowerShell script, download malware, or redirect you to a phishing site.
This tactic works because OneNote files often bypass security filters that focus on more traditional attachments like Word or PDFs. Most tools don’t scan them as deeply, which gives attackers a way to evade detection and gain a foothold in your environment.
Blog Post
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction
This post will cover a brief timeline of QakBot’s evolution, and focus primarily on recently observed attack techniques. We’ll discuss detection methodologies and share MQL rules that anyone can use to detect, prevent, and hunt for these threats in email environments today. If you're already running Sublime, you received these new protections automatically.
Attack Types (3):
Credential Phishing
BEC/Fraud
Malware/Ransomware
Detection Methods (8):
Content analysis
Header analysis
HTML analysis
URL analysis
Sender analysis
Archive analysis
File analysis
YARA
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Link: Uncommon SharePoint Document Type With Sender's Display Name
3d ago
Jul 15th, 2025 UTC
Sublime Security
Credential Phishing
Social engineering
OneNote
PDF
Content analysis
Header analysis
HTML analysis
URL analysis
/feeds/core/detection-rules/link-uncommon-sharepoint-document-type-with-senders-display-name-02d290b2
Suspicious SharePoint File Sharing
3mo ago
Apr 11th, 2025 UTC
Sublime Security
Credential Phishing
Free email provider
Free file host
OneNote
PDF
Content analysis
Header analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/suspicious-sharepoint-file-sharing-971c3d9c
Sharepoint Link Likely Unrelated to Sender
4mo ago
Mar 12th, 2025 UTC
Sublime Security
BEC/Fraud
Credential Phishing
Impersonation: Employee
Lookalike domain
OneNote
PDF
Social engineering
URL analysis
Sender analysis
Header analysis
HTML analysis
/feeds/core/detection-rules/sharepoint-link-likely-unrelated-to-sender-6870f489
Attachment: Malicious OneNote Commands
2y ago
Aug 21st, 2023 UTC
@Kyle_Parrish_
Malware/Ransomware
OneNote
Scripting
Archive analysis
Content analysis
File analysis
YARA
/feeds/core/detection-rules/attachment-malicious-onenote-commands-7319f0eb