Detecting Malware Disguised as OneNote with Threat Intelligence | WhoisXML API

Threat Reports

Detecting Malware Disguised as OneNote with Threat Intelligence

We’ve seen various Microsoft apps abused in malicious campaigns time and time again, but guess which software recently joined the fray. OneNote, Microsoft’s note-taking software, has become threat actors’ new favored target. 

Proofpoint researchers have recently spotted malicious actors disseminating malware camouflaged as OneNote files. They named 82 indicators of compromise (IoCs) from which we obtained 17 domains and 13 IP addresses.1 We used these web properties as IoC expansion analysis jump-off points that led to the discovery of:

  • Four unredacted registrant email addresses used to register an additional nine domains
  • 11 IP addresses to which the domains tagged as IoCs resolved, four of which turned out to be malicious
  • 1,992 domains that shared the IoCs’ IP hosts, 16 of which turned out to be malware hosts
  • 32 domains that shared strings found among the IoCs

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

  • [1] https://www.proofpoint.com/us/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware
Try our WhoisXML API for free
Get started