Hackers are using Microsoft OneNote files to steal your data — how to stay safe

News
By published

A reminder never to open strange email attachments

an image of the OneNote app
(Image credit: Shutterstock)

Threat actors are always looking for ways to get malware into your system, and it often seems like they have a limitless pool of ingenuity to fall back on. This time they’ve been caught trying to spread malware via Microsoft OneNote attachments in phishing emails — specifically remote access malware.

It’s been long known that attackers have used Microsoft Office files to spread malware for many years, particularly Word and Excel attachments. Microsoft finally took some action last July, disabling Office documents’ macros by default and making it an unreliable way to infect unsuspecting recipients. 

Undeterred, attackers switched to using ISO images and ZIP files, exploiting bugs in Windows and 7-Zip. Now those security holes have also been fixed, and it seems OneNote attachments are becoming the weapon of choice.

According to Bleeping Computer the various phishing emails are pretending to be things like shipping notifications, invoices, mechanical drawings and other innocuous files. But since OneNote doesn’t support macros, attackers have had to get creative in how they get the file to install malware.

Apparently this is down to OneNote features that allows users to add attachments to a notebook. The attached OneNote file appears to be blurred out, with a large button that says “Double Click to View File." But double clicking this button runs the file’s attachment, which is a malicious Visual Basic Script (VBS) file. That VBS is then able to download malware from a remote site and install it on your machine.

OneNote will warn you about the dangers of opening files from unknown sources, but its effectiveness relies on the user actually paying attention. The VBS file will also download and display a decoy OneNote document once activated, making you none the wiser about what’s just happened.

Bleeping Computer found that the files end up stealing remote access trojans, allowing attackers to access your device and steal just about anything. Files, saved passwords, crypto wallets, webcam footage and so on.

The best way to stay safe from these kinds of attacks is to not open files from anyone you don’t actually know — especially OneNote files. On top of that, if you ever do open an unknown file, you need to listen to all the warnings that may pop up, all for your own safety.

See more Computing News
TOPICS
Tom Pritchard
Tom Pritchard
UK Phones Editor

Tom is the Tom's Guide's UK Phones Editor, tackling the latest smartphone news and vocally expressing his opinions about upcoming features or changes. It's long way from his days as editor of Gizmodo UK, when pretty much everything was on the table. He’s usually found trying to squeeze another giant Lego set onto the shelf, draining very large cups of coffee, or complaining about how terrible his Smart TV is.

Read more
and image of the Google Chrome logo on a laptop
Google Docs under attack from info-stealing malware — how to keep your data and your emails safe
An FBI agent typing on a computer
FBI issues warning to millions of Americans to avoid these websites that can steal your passwords and banking info
Reddit logo and Reddit logo on phone
Hackers have created hundreds of fake Reddit sites to spread info-stealing malware
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
A hacker typing quickly on a keyboard
Hackers are posing as Apple and Google to infect Macs with malware — don’t fall for these fake browser updates
A hacker typing quickly on a keyboard
Thousands of WordPress sites hijacked to spread Windows and Mac malware - how to stay safe
Latest in Online Security
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
A man filing his taxes electronically on a laptop
AI-powered tax scams are here - how to stay safe from deepfakes, phishing and more this tax season
MacBook Pro 2023
New Mac attack is tricking users into thinking their computer is locked — how to stay safe
Hacker using a stolen social security card
Your Social Security number is a literal gold mine for scammers and identity thieves — here’s how to keep it safe
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Latest in News
iPhone 16 Pro vs iPhone 16 Pro Max in hand showing displays
Forget iPhone 17 — iPhone 18 could get this huge upgrade
The new Husqvarna iQ series robot lawn mower.
Husqvarna’s new robot mowers offer GPS for less
Rendered images of rumored foldable iPhone.
Foldable iPhone report just revealed key details — here's what we know
NYTimes Connections
NYT Connections today hints and answers — Sunday, March 23 (#651)
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #385 (Sunday, March 23 2025)
Nintendo Switch 2
Nintendo Switch 2 rumored specs — here’s what we know so far
More about online security
A man filing his taxes electronically on a laptop

AI-powered tax scams are here - how to stay safe from deepfakes, phishing and more this tax season
Hacker using a stolen social security card

Your Social Security number is a literal gold mine for scammers and identity thieves — here’s how to keep it safe
The new Husqvarna iQ series robot lawn mower.

Husqvarna’s new robot mowers offer GPS for less
See more latest