GBS iQ.Suite Watchdog reliably eliminates the threat of OneNote attachments in phishing emails

An increasing number of reports indicate that hackers are exploiting a vulnerability in Microsoft OneNote and using it as an attachment in their phishing emails to install malware. However, GBS customers with iQ.Suite Watchdog can breathe a sigh of relief, because the anti-malware solution is equipped to intercept and neutralize these threats.

According to Verizon‘s Data Breach Investigations Report, 94% of malware enters organizations via email, predominantly relying on attachments to insert their malicious code. Until recently, hackers exploited macros vulnerabilities in Word and Excel, as well as ISO images and ZIP files protected by passwords in their phishing campaigns. After these vulnerabilities were fixed by the vendors, the attackers moved on to Microsoft’s OneNote in attachments with embedded scripts to run Powershell.



How do compromised OneNote attachments work in phishing attacks?

Microsoft’s desktop digital notebook application, which does not support macros, is a standard part of Microsoft Office 2019 and Microsoft 365. Since December, reports have surfaced of malicious email attachments using OneNote, disguised as shipping documents and notifications, delivery notifications, invoices, etc., which can be opened with a double-click.

The phishing email contains a OneNote file that displays a blurry “Double Click to View File” box. This sign actually conceals a Visual Basic script that is executed when double-clicked, automatically downloading malware from a remote server. Even if the program displays a warning that “Opening attachments could harm your computer and data”, employees often ignore it.



How can you prevent OneNote attachments from spreading malware across your network?

Be absolutely cautious – do not open attachments from unknown sources in general. Even if you do it accidentally, trust the warning message and do not proceed with opening the file. Also, make sure that you use multi-factor authentication and good AV scanners. Blocking OneNote attachments is also an option.

GBS customers already using the anti-virus solution iQ.Suite Watchdog don’t have to worry about being at risk from malicious OneNote attachments.

  1. iQ.Suite for Microsoft Exchange/SMTP (SaaS):

In the MMC at Basic Configuration > Utility Settings > Fingerprints you have to add the following fingerprint jobs:

Microsoft OneNote note (*.one)

E4 52 5C 7B 8C D8 A7 4D AE B1 53 78 D0 29 96 D3 Startposition: 1 Endposition: 16

3F DD 9A 10 1B 91 F5 49 Startposition: 49 Endposition: 56

Name pattern: *.one

Microsoft OneNote entire notebook (*.onepkg)

Microsoft: Position 1-6: 4D5343460000

Position 1 to -1: 004E6F74697A6275636820C3B666666E656E2E6F6E65746F63

Name pattern: *.onepkg

Then add it to the iQ.Suite Watchdog Attachment Filtering job so that it can be found and blocked accordingly.


  1. iQ.Suite for HCL Domino:

Watchdog > Utilities > Fingerprints

0000 10 E4 52 5C 7B 8C D8 A7 4D AE B1 53 78 D0 29 96 D3

0030 08 3F DD 9A 10 1B 91 F5 49

Name pattern: *.one

0000 06 4D 53 43 46 00 00

00..-1 19 00 4E 6F 74 69 7A 62 75 63 68 20 C3 B6 66 66 6E 65 6E 2E 6F 6E 65 74 6F 63

Name pattern: *.onepkg

iQ.Suite Watchdog uses up to 4 leading antivirus scanners in addition to its own security mechanisms to provide superior multi-layered protection for company emails. The solution detects and removes malicious files, JavaScript code and web links in PDF, Word, Excel and other attachments. Moreover, it is possible to convert email attachments to PDF to remove malicious codes.

Do you need professional support in securing your e-mail communication? Feel free to contact us! We will be happy to support you with our consulting team.