Microsoft OneNote Used To Sidestep Phishing Detection
A phishing campaign was recently discovered by researchers at Cofense, who stated that Microsoft’s digital notebook OneNote was used to distribute the Agent Tesla keylogger. The attacker leveraged OneNote by experimenting with various lures that deliver the credential-stealing keylogger Agent Tesla or linked to a phishing page, starting with an email to victims that contains a link to the OneNote document.
The attacker originally sent an email to companies posing as a marketing manager sending an order invoice, however the success rate of the campaign and the list of targets has not been disclosed. The order invoice link eventually brought the victims to a malicious OneNote document. Over the span of two weeks, researchers allege that the threat actors swapped out the layout of the OneNote page, delivering a credential phishing portal and malware samples.