Tactic or Technique: OneNote

Attackers use OneNote files to hide malware or phishing links inside interactive elements like buttons, images, or text boxes. These files are often sent as attachments with subject lines about invoices, shipping updates, or other urgent business topics.
When opened, the page may look like a login screen or document preview and prompt you to click. That click can launch a PowerShell script, download malware, or redirect you to a phishing site.
This tactic works because OneNote files often bypass security filters that focus on more traditional attachments like Word or PDFs. Most tools don’t scan them as deeply, which gives attackers a way to evade detection and gain a foothold in your environment.
Blog Post
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction · Blog · Sublime Security
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction · Blog · Sublime Security
This post will cover a brief timeline of QakBot’s evolution, and focus primarily on recently observed attack techniques. We’ll discuss detection methodologies and share MQL rules that anyone can use to detect, prevent, and hunt for these threats in email environments today. If you're already running Sublime, you received these new protections automatically.
Attack Types (3):
BEC/Fraud
Credential Phishing
Malware/Ransomware
Detection Methods (8):
URL analysis
Sender analysis
Header analysis
HTML analysis
Content analysis
Archive analysis
File analysis
YARA
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Sharepoint link likely unrelated to sender
1mo ago
Sep 19th, 2025
Sublime Security
BEC/Fraud
Credential Phishing
Impersonation: Employee
Lookalike domain
OneNote
PDF
Social engineering
URL analysis
Sender analysis
Header analysis
HTML analysis
/feeds/core/detection-rules/sharepoint-link-likely-unrelated-to-sender-6870f489
Suspicious SharePoint file sharing
3mo ago
Aug 5th, 2025
Sublime Security
Credential Phishing
Free email provider
Free file host
OneNote
PDF
Content analysis
Header analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/suspicious-sharepoint-file-sharing-971c3d9c
Link: Uncommon SharePoint document type with sender's display name
3mo ago
Aug 5th, 2025
Sublime Security
Credential Phishing
Social engineering
OneNote
PDF
Content analysis
Header analysis
HTML analysis
URL analysis
/feeds/core/detection-rules/link-uncommon-sharepoint-document-type-with-senders-display-name-02d290b2
Attachment: Malicious OneNote commands
3mo ago
Aug 5th, 2025
@Kyle_Parrish_
Malware/Ransomware
OneNote
Scripting
Archive analysis
Content analysis
File analysis
YARA
/feeds/core/detection-rules/attachment-malicious-onenote-commands-7319f0eb