QakNote Malware Being Distributed Through OneNote Phishing Campaign

SpearTip’s Security Operations Center (SOC) team detected a new phishing campaign named QakNote. This campaign has been discovered to use Microsoft OneNote files to spread QBot malware, targeting numerous United States-based companies.

Details of OneNote Phishing Campaign

When interacted with by the user, the malicious OneNote file attempts to download and run the QBot malware. QBot is a type of malware that is often used to gain initial access and then leveraged for persistent and elevation purposes. If the following screen pops up on your device, do not click ‘open’ and immediately contact your IT team.

To reduce the risk of infection from this campaign, the following measures can be taken:

• Educate users on the dangers of phishing, specifically this QakNote campaign.
• As OneNote files are not frequently sent through email, consider blocking incoming OneNote files on the firewall.
• Ensure detection software, like the ShadowSpear Platform, is installed on all endpoints as it prevents successful infection.

Furthermore, it is important to note: DO NOT CLICK “OK” as this will execute the malware.

To block emails with OneNote attachments in Office 365, the following steps can be taken using Exchange Online Protection (EOP):

• Log in to the Microsoft 365 admin center.
• Navigate to the Exchange admin center.
• Go to Protection > Rule Options.
• Click the Add (+) icon and select “Create a new transport rule.”
• Give the rule a descriptive name, such as “Block OneNote attachments.”
• In the “Apply this rule if” section, select “The attachment file name extension is.”
• In the file extension box, type “.one” (without quotes) and click the “+” button to add it.
• In the “Do the following” section, select “Reject the message with the following explanation” and type in a message explaining that OneNote attachments are not allowed in your organization.
• Save the rule by clicking the Save icon.

Businesses face significant risk from this phishing campaign as OneNote attachments are typically not intercepted or scanned by email providers, making it easier for attackers to introduce Qbot into your environment. To reduce this risk, it’s advisable for businesses to prevent the sending of OneNote files via email. Moreover, businesses must remain vigilant of this threat and others on the threat landscape, and regularly carry out security awareness training, particularly phishing tests.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.