โ€œWe needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.โ€

IT Operations Manager
Simon Darley
Trusted by industry leaders

Let's Talk

Call us on one of the numbers below, we cover the whole of the UK, so call the nearest office.

BriSTOL HQ & The South West

London & Surrounding Areas

Manchester & the North

โ€œWe needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.โ€

IT Operations Manager
Simon Darley
Trusted by industry leaders

Request a Call-back.

First we need a few details.

ENQUIRY - Contact Popup DEPRECIATED (#3)

Keep up to date with the experts

Get insights directly to your email inbox

MAIL LIST - Newsletter, Exit Intent Popup (#13)

Follow us on social

โ€œWe needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.โ€

IT Operations Manager
Simon Darley
Trusted by industry leaders

Request a Call

First we need a few details.

ENQUIRY - Popup w/ Captcha for light backgrounds (#21)
Expert Intel

OneNote Supply Chain Phishing

Published: April 12, 2023
Updated: May 29, 2024
Expert: Joe .F
Role: Senior Cyber Security Analyst
Specialises in: Security Operations
What you will learn:
Threat Actors are using compromised business emails to phish partner organisations, I wanted to create this article to raise awareness to some methodโ€™s weโ€™ve observed in the wild as recently as within the last 24 hours.
"I donโ€™t think these styles of attacks will be going away any time soon as threat actors are continuing to adapt and evolve their tactics each week to try and evade detection rules being placed by fellow Defenders."

Abusing Trust Through Business Email Compromise

In recent weeks, OneNote supply chain phishing campaigns have been creeping up time and time again and no doubt youโ€™ve already seen your fair share of these articles by now. Unfortunately, I donโ€™t think these styles of attacks will be going away any time soon as threat actors are continuing to adapt and evolve their tactics each week to try and evade detection rules being placed by fellow Defenders.

Nonetheless, I wanted to create this article to raise awareness to some methodโ€™s weโ€™ve observed in the wild as recently as within the last 24 hours. (TLDR Version of this article is in progress).

[Edit: โ€” Note, these methods are not as new as I first imagined, conversations with other researchers and threat intelligence specialists revealed these methods have been used since at least 2019. Nonetheless, they havenโ€™t changed therefore it is still important to know how to identify these attacks.]

ONENOTE SUPPLY CHAIN PHISHING

Previously, the main methods of operation used by these โ€œphishermenโ€ was to send an email containing OneNote (.one) documents weaponised with embedded URLs to credential harvesters, or in some extreme cases, contained malware which would execute upon interaction. This became a simple fix for most people, adding a rule to block inbound emails containing a .one attachment seemed to be an easy enough solutionโ€ฆ or so we thought.

In this article I will be covering:

  1. The New Campaign
  2. The Attack Chain
  3. Attack Diagram
  4. Detections and Advice

THE ONENOTE SUPPLY CHAIN PHISHING CAMPAIGN

In the early days of these OneNote supply chain phishing attacks being seen, it was noted that the attackers would often send OneNote files from random spam phishing email addresses which most end users would be able to pick up on and flag as phishing or spam. Or alternatively, the emails would just be blocked for containing a OneNote attachment (providing rules were in place).

However, in recent campaigns seen within the last two weeks, it has been noted that threat actors have adapted their methods so that instead of needing to send a OneNote document to a victim, they can just send them to a OneNote document hosted in a public facing SharePoint which will in turn, bypass these rules to block emails containing OneNote attachments as well as any email filtering solutions as the URL will be to a legitimate SharePoint URL. Very unlikely to be blocked within an organisation.

This is where things get interestingโ€ฆ

THE ONENOTE SUPPLY CHAIN PHISHING ATTACK CHAIN

1. Patient Zero

The Threat Actor will compromise a business email account. In this example, Example Corp CFO, Joe Bloggs (joe.bloggs@examplecorp.com) has been compromised.

2. Creating the OneNote File

Using Joeโ€™s account, the attacker will now create a malicious OneNote document in his personal sharepoint which will be used to redirect the victim to a phishing domain that was most likely used to initially compromise Joeโ€™s account.

3. Phishing Partner Organisations

The attacker will now use this compromised email to send a series of other malicious emails targeting partner companies of Example Corp. These emails will contain a URL leading to the new SharePoint hosted OneNote file. The subject of a lot of these emails will be in the format of โ€” โ€˜Joe Bloggs shared โ€œ< Random Document Name Here>โ€ with you.โ€™

4. The Phish

The victim at the targeted partner organisation recieves this email from Joe Bloggs. This is where the abuse of trust comes into play. Since Example Corp are partners of theirs, and the victim knows that Joe is the CFO at Example Corp, this must be legitimate right?

Real world example of the phishing email sent from a compromised business email.

Real world example of the phishing email sent from a compromised business email.

Similar real world example using the same style of email but this one is pretending to use an Excel doc instead of OneNote.

Similar real world example using the same style of email but this one is pretending to use an Excel doc instead of OneNote.

5. SharePoint Hosted OneNote Document

The URL received by the victim will be to SharePoint, not many people will suspect a real sharepoint link to be malicious as this is used by most organisations today allowing users to collaborate effortlessly. This URL is what takes the victim to the OneNote file hosted in Joe Bloggโ€™s personal sharepoint. Again, because the email is from a legitimate source and did not contain a OneNote attachment it will bypass any current rules to block emails containing attachments with a .one extension. Additionally, because the domain used to host the file is SharePoint, this will likely not be within any block lists at any organisation meaning these emails will slip right through the net in most cases.

6. The Harvester

Upon clicking REVIEW DOCUMENT HERE โ€” the victim is now forwarded to the Credential Harvesterโ€ฆ This page is actually hidden behind a CloudFlare CAPTCHA page meaning that any static sandbox detection tools will NOT be able to see the harvester behind the CAPTCHA challenge. This is why Dynamic Analysis is so important for Defenders.

CloudFlare Captcha

CloudFlare Captcha

MS Credential Harvester. Notice the .RU domain

MS Credential Harvester. Notice the .RU domain

7. Testing Input Fields

Here I wanted to test to see what the input fields look for, you will find that the complexity of these credential harvesters can vary massively. For example:

  • Some accept any input (no input validation checks)
  • Some accept any email as long as it contains @ and .com/net/co.uk etc
  • Some only accept valid email addresses and then check the validity of the password as you enter it.
  • Similar to above, it will tell you your password is incorrect so you enter it 3โ€“5 times before forwarding you to a legitimate Microsoft Website so you feel as though you have successfully logged inโ€ฆ

In this case, I used the fake email ofย Hello@mate.lolย accompanied by a fat password containing aย โ€˜polite messageโ€™ย for the actor to read later. Both of which were actually accepted and I was forwarded to the official Microsoft Office domain ofย www.office.comย โ€”ย It is worth noting that when I went back to try and use this same credential pair I was told the email was invalid indicating you can only submit one email once?

Credential harvester accepting my fake email and polite message of a password.

Details being โ€œSuccessfully Confirmed!โ€

Details being โ€œSuccessfully Confirmed!โ€

Redirect to Office.com

Redirect to Office.com

Failing to accept hello@mate.lol the second time around. Probably didnโ€™t appreciate my friendly message.

BIRDS EYE VIEW

As you can see from the world class piece of art I put together above, this attack can scale up massively in no time. Once one organisation is compromised, it is possible for a further handful of organisations to be targeted, compromised and utilised to continue the campaign. Scary right?

DETECTIONS AND ADVICE

As of right now, we are currently working on detection rules for this new method of attack therefore I will be updating this article with any rules we create in due course. If anybody has any suggestions or already has rules for this type of attack, please reach out, Iโ€™d love to collaborate.

The main take aways from this campaign are:

  • Zero Trust Model is vital in modern organisations. Question ANYTHING that looks suspicious or too good to be true.

  • Subjects from this style of campaign often use the format, โ€˜Name Here shared โ€œDocumentNameโ€ with youโ€™ โ€” if it looks like any of the above details so far, report it to your SOC and delete it ASAP.

  • URL within the phishing emails may contain โ€œsharepoint.com/personalโ€ as well as โ€œ.oneโ€ referring to the malicious OneNote document being used.

  • If you are ever logging into your microsoft account and the URL isย NOTย https://login.microsoftonline.comย โ€” DO NOT ENTER DETAILS.

  • Remain cautious of any OneNote attachments or links to OneNote documents you are not involved with or aware of.

  • As alwaysโ€ฆ using a strong password with MFA, paired with Conditional Access Policies (Licenses dependent) is the best option where possible when protecting identities in an organisation.

If you have any questions, feedback or want to share information related to the details discussed in this article, please feel free to reach out on to Joe on LinkedIn.

Happy Hunting!


Want to know more about cyber security user awareness training? Get in touch today and learn how to keep your organisation secure.