“We needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.”

IT Operations Manager
Simon Darley
Trusted by industry leaders

Let's Talk

Call us on one of the numbers below, we cover the whole of the UK.

BriSTOL HQ & The South West

+44 (0) 117 974 5179

London & Surrounding Areas

+44 (0) 207 043 7044

Manchester & the North West

+44 (0) 161 399 1305

“We needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.”

IT Operations Manager
Simon Darley
Trusted by industry leaders

Request a Call-back.

First we need a few details.

Contact Form Primary popup

Keep up to date with the experts

Get insights direct to your email inbox

NEWSLETTER - Exit Intent

Follow us on social

“We needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.”

IT Operations Manager
Simon Darley
Trusted by industry leaders

Request a Call

First we need a few details.

Contact Form Primary popup w/ Captcha
Expert Intel

OneNote Supply Chain Phishing

Published: April 12, 2023
Updated: December 19, 2023
Expert: Joe .F
Role: Senior Cyber Security Analyst
Specialises in: Security Operations
What you will learn:
Threat Actors are using compromised business emails to phish partner organisations, I wanted to create this article to raise awareness to some method’s we’ve observed in the wild as recently as within the last 24 hours.
"I don’t think these styles of attacks will be going away any time soon as threat actors are continuing to adapt and evolve their tactics each week to try and evade detection rules being placed by fellow Defenders."

Abusing Trust Through Business Email Compromise

In recent weeks, OneNote supply chain phishing campaigns have been creeping up time and time again and no doubt you’ve already seen your fair share of these articles by now. Unfortunately, I don’t think these styles of attacks will be going away any time soon as threat actors are continuing to adapt and evolve their tactics each week to try and evade detection rules being placed by fellow Defenders.

Nonetheless, I wanted to create this article to raise awareness to some method’s we’ve observed in the wild as recently as within the last 24 hours. (TLDR Version of this article is in progress).

[Edit: — Note, these methods are not as new as I first imagined, conversations with other researchers and threat intelligence specialists revealed these methods have been used since at least 2019. Nonetheless, they haven’t changed therefore it is still important to know how to identify these attacks.]

ONENOTE SUPPLY CHAIN PHISHING

Previously, the main methods of operation used by these “phishermen” was to send an email containing OneNote (.one) documents weaponised with embedded URLs to credential harvesters, or in some extreme cases, contained malware which would execute upon interaction. This became a simple fix for most people, adding a rule to block inbound emails containing a .one attachment seemed to be an easy enough solution… or so we thought.

In this article I will be covering:

  1. The New Campaign
  2. The Attack Chain
  3. Attack Diagram
  4. Detections and Advice

THE ONENOTE SUPPLY CHAIN PHISHING CAMPAIGN

In the early days of these OneNote supply chain phishing attacks being seen, it was noted that the attackers would often send OneNote files from random spam phishing email addresses which most end users would be able to pick up on and flag as phishing or spam. Or alternatively, the emails would just be blocked for containing a OneNote attachment (providing rules were in place).

However, in recent campaigns seen within the last two weeks, it has been noted that threat actors have adapted their methods so that instead of needing to send a OneNote document to a victim, they can just send them to a OneNote document hosted in a public facing SharePoint which will in turn, bypass these rules to block emails containing OneNote attachments as well as any email filtering solutions as the URL will be to a legitimate SharePoint URL. Very unlikely to be blocked within an organisation.

This is where things get interesting…

THE ONENOTE SUPPLY CHAIN PHISHING ATTACK CHAIN

1. Patient Zero

The Threat Actor will compromise a business email account. In this example, Example Corp CFO, Joe Bloggs (joe.bloggs@examplecorp.com) has been compromised.

2. Creating the OneNote File

Using Joe’s account, the attacker will now create a malicious OneNote document in his personal sharepoint which will be used to redirect the victim to a phishing domain that was most likely used to initially compromise Joe’s account.

3. Phishing Partner Organisations

The attacker will now use this compromised email to send a series of other malicious emails targeting partner companies of Example Corp. These emails will contain a URL leading to the new SharePoint hosted OneNote file. The subject of a lot of these emails will be in the format of — ‘Joe Bloggs shared “< Random Document Name Here>” with you.

4. The Phish

The victim at the targeted partner organisation recieves this email from Joe Bloggs. This is where the abuse of trust comes into play. Since Example Corp are partners of theirs, and the victim knows that Joe is the CFO at Example Corp, this must be legitimate right?

Real world example of the phishing email sent from a compromised business email.

Real world example of the phishing email sent from a compromised business email.

Similar real world example using the same style of email but this one is pretending to use an Excel doc instead of OneNote.

Similar real world example using the same style of email but this one is pretending to use an Excel doc instead of OneNote.

5. SharePoint Hosted OneNote Document

The URL received by the victim will be to SharePoint, not many people will suspect a real sharepoint link to be malicious as this is used by most organisations today allowing users to collaborate effortlessly. This URL is what takes the victim to the OneNote file hosted in Joe Blogg’s personal sharepoint. Again, because the email is from a legitimate source and did not contain a OneNote attachment it will bypass any current rules to block emails containing attachments with a .one extension. Additionally, because the domain used to host the file is SharePoint, this will likely not be within any block lists at any organisation meaning these emails will slip right through the net in most cases.

6. The Harvester

Upon clicking REVIEW DOCUMENT HERE — the victim is now forwarded to the Credential Harvester… This page is actually hidden behind a CloudFlare CAPTCHA page meaning that any static sandbox detection tools will NOT be able to see the harvester behind the CAPTCHA challenge. This is why Dynamic Analysis is so important for Defenders.

CloudFlare Captcha

CloudFlare Captcha

MS Credential Harvester. Notice the .RU domain

MS Credential Harvester. Notice the .RU domain

7. Testing Input Fields

Here I wanted to test to see what the input fields look for, you will find that the complexity of these credential harvesters can vary massively. For example:

  • Some accept any input (no input validation checks)
  • Some accept any email as long as it contains @ and .com/net/co.uk etc
  • Some only accept valid email addresses and then check the validity of the password as you enter it.
  • Similar to above, it will tell you your password is incorrect so you enter it 3–5 times before forwarding you to a legitimate Microsoft Website so you feel as though you have successfully logged in…

In this case, I used the fake email of Hello@mate.lol accompanied by a fat password containing a ‘polite message’ for the actor to read later. Both of which were actually accepted and I was forwarded to the official Microsoft Office domain of www.office.com — It is worth noting that when I went back to try and use this same credential pair I was told the email was invalid indicating you can only submit one email once?

Credential harvester accepting my fake email and polite message of a password.

Details being “Successfully Confirmed!”

Details being “Successfully Confirmed!”

Redirect to Office.com

Redirect to Office.com

Failing to accept hello@mate.lol the second time around. Probably didn’t appreciate my friendly message.

BIRDS EYE VIEW

As you can see from the world class piece of art I put together above, this attack can scale up massively in no time. Once one organisation is compromised, it is possible for a further handful of organisations to be targeted, compromised and utilised to continue the campaign. Scary right?

DETECTIONS AND ADVICE

As of right now, we are currently working on detection rules for this new method of attack therefore I will be updating this article with any rules we create in due course. If anybody has any suggestions or already has rules for this type of attack, please reach out, I’d love to collaborate.

The main take aways from this campaign are:

  • Zero Trust Model is vital in modern organisations. Question ANYTHING that looks suspicious or too good to be true.

  • Subjects from this style of campaign often use the format, ‘Name Here shared “DocumentName” with you’ — if it looks like any of the above details so far, report it to your SOC and delete it ASAP.

  • URL within the phishing emails may contain “sharepoint.com/personal” as well as “.one” referring to the malicious OneNote document being used.

  • Remain cautious of any OneNote attachments or links to OneNote documents you are not involved with or aware of.

  • As always… using a strong password with MFA, paired with Conditional Access Policies (Licenses dependent) is the best option where possible when protecting identities in an organisation.

If you have any questions, feedback or want to share information related to the details discussed in this article, please feel free to reach out on to Joe on LinkedIn.

Happy Hunting!


Want to know more about cyber security user awareness training? Get in touch today and learn how to keep your organisation secure.

Our latest expert Intel

  • April 30, 2024
    Read full article
  • March 27, 2024
    Read full article
  • Gootkit
    March 7, 2024
    Read full article
  • February 5, 2024
    Read full article
  • Malvertising
    December 20, 2023
    Read full article
  • Microsoft Ignite
    January 19, 2024
    Read full article
  • keys
    January 19, 2024
    Read full article
  • December 19, 2023
    Read full article
  • CVE-2023-42439
    November 9, 2023
    Read full article
  • password
    September 11, 2023
    Read full article
  • November 24, 2023
    Read full article
  • August 1, 2023
    Read full article