OneNote Supply Chain Phishing
Abusing Trust Through Business Email Compromise
In recent weeks, OneNote supply chain phishing campaigns have been creeping up time and time again and no doubt you’ve already seen your fair share of these articles by now. Unfortunately, I don’t think these styles of attacks will be going away any time soon as threat actors are continuing to adapt and evolve their tactics each week to try and evade detection rules being placed by fellow Defenders.
Nonetheless, I wanted to create this article to raise awareness to some method’s we’ve observed in the wild as recently as within the last 24 hours. (TLDR Version of this article is in progress).
[Edit: — Note, these methods are not as new as I first imagined, conversations with other researchers and threat intelligence specialists revealed these methods have been used since at least 2019. Nonetheless, they haven’t changed therefore it is still important to know how to identify these attacks.]
Previously, the main methods of operation used by these “phishermen” was to send an email containing OneNote (.one) documents weaponised with embedded URLs to credential harvesters, or in some extreme cases, contained malware which would execute upon interaction. This became a simple fix for most people, adding a rule to block inbound emails containing a .one attachment seemed to be an easy enough solution… or so we thought.
In this article I will be covering:
- The New Campaign
- The Attack Chain
- Attack Diagram
- Detections and Advice
THE ONENOTE SUPPLY CHAIN PHISHING CAMPAIGN
In the early days of these OneNote supply chain phishing attacks being seen, it was noted that the attackers would often send OneNote files from random spam email addresses which most end users would be able to pick up on and flag as phishing or spam. Or alternatively, the emails would just be blocked for containing a OneNote attachment (providing rules were in place).
However, in recent campaigns seen within the last two weeks, it has been noted that threat actors have adapted their methods so that instead of needing to send a OneNote document to a victim, they can just send them to a OneNote document hosted in a public facing SharePoint which will in turn, bypass these rules to block emails containing OneNote attachments as well as any email filtering solutions as the URL will be to a legitimate SharePoint URL. Very unlikely to be blocked within an organisation.
This is where things get interesting…
THE ONENOTE SUPPLY CHAIN PHISHING ATTACK CHAIN
1. Patient Zero
The Threat Actor will compromise a business email account. In this example, Example Corp CFO, Joe Bloggs (firstname.lastname@example.org) has been compromised.
2. Creating the OneNote File
Using Joe’s account, the attacker will now create a malicious OneNote document in his personal sharepoint which will be used to redirect the victim to a phishing domain that was most likely used to initially compromise Joe’s account.
3. Phishing Partner Organisations
The attacker will now use this compromised email to send a series of other malicious emails targeting partner companies of Example Corp. These emails will contain a URL leading to the new SharePoint hosted OneNote file. The subject of a lot of these emails will be in the format of — ‘Joe Bloggs shared “< Random Document Name Here>” with you.’
4. The Phish
The victim at the targeted partner organisation recieves this email from Joe Bloggs. This is where the abuse of trust comes into play. Since Example Corp are partners of theirs, and the victim knows that Joe is the CFO at Example Corp, this must be legitimate right?
Real world example of the phishing email sent from a compromised business email.
Similar real world example using the same style of email but this one is pretending to use an Excel doc instead of OneNote.
5. SharePoint Hosted OneNote Document
The URL received by the victim will be to SharePoint, not many people will suspect a real sharepoint link to be malicious as this is used by most organisations today allowing users to collaborate effortlessly. This URL is what takes the victim to the OneNote file hosted in Joe Blogg’s personal sharepoint. Again, because the email is from a legitimate source and did not contain a OneNote attachment it will bypass any current rules to block emails containing attachments with a .one extension. Additionally, because the domain used to host the file is SharePoint, this will likely not be within any block lists at any organisation meaning these emails will slip right through the net in most cases.
6. The Harvester
Upon clicking REVIEW DOCUMENT HERE — the victim is now forwarded to the Credential Harvester… This page is actually hidden behind a CloudFlare CAPTCHA page meaning that any static sandbox detection tools will NOT be able to see the harvester behind the CAPTCHA challenge. This is why Dynamic Analysis is so important for Defenders.
MS Credential Harvester. Notice the .RU domain
7. Testing Input Fields
Here I wanted to test to see what the input fields look for, you will find that the complexity of these credential harvesters can vary massively. For example:
- Some accept any input (no input validation checks)
- Some accept any email as long as it contains @ and .com/net/co.uk etc
- Some only accept valid email addresses and then check the validity of the password as you enter it.
- Similar to above, it will tell you your password is incorrect so you enter it 3–5 times before forwarding you to a legitimate Microsoft Website so you feel as though you have successfully logged in…
In this case, I used the fake email of Hello@mate.lol accompanied by a fat password containing a ‘polite message’ for the actor to read later. Both of which were actually accepted and I was forwarded to the official Microsoft Office domain of www.office.com — It is worth noting that when I went back to try and use this same credential pair I was told the email was invalid indicating you can only submit one email once?
Credential harvester accepting my fake email and polite message of a password.
Details being “Successfully Confirmed!”
Redirect to Office.com
Failing to accept email@example.com the second time around. Probably didn’t appreciate my friendly message.
BIRDS EYE VIEW
As you can see from the world class piece of art I put together above, this attack can scale up massively in no time. Once one organisation is compromised, it is possible for a further handful of organisations to be targeted, compromised and utilised to continue the campaign. Scary right?
DETECTIONS AND ADVICE
As of right now, we are currently working on detection rules for this new method of attack therefore I will be updating this article with any rules we create in due course. If anybody has any suggestions or already has rules for this type of attack, please reach out, I’d love to collaborate.
The main take aways from this campaign are:
- Zero Trust Model is vital in modern organisations. Question ANYTHING that looks suspicious or too good to be true.
- Subjects from this style of campaign often use the format, ‘Name Here shared “DocumentName” with you’ — if it looks like any of the above details so far, report it to your SOC and delete it ASAP.
- URL within the phishing emails may contain “sharepoint.com/personal” as well as “.one” referring to the malicious OneNote document being used.
- If you are ever logging into your microsoft account and the URL is NOT https://login.microsoftonline.com — DO NOT ENTER DETAILS.
- Remain cautious of any OneNote attachments or links to OneNote documents you are not involved with or aware of.
- As always… using a strong password with MFA, paired with Conditional Access Policies (Licenses dependent) is the best option where possible when protecting identities in an organisation.
If you have any questions, feedback or want to share information related to the details discussed in this article, please feel free to reach out on to Joe on LinkedIn.