{"id":7980,"date":"2023-02-01T09:00:00","date_gmt":"2023-02-01T09:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/?post_type=lab_item&#038;p=7980"},"modified":"2026-05-22T12:52:25","modified_gmt":"2026-05-22T11:52:25","slug":"detecting-onenote-abuse","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/detecting-onenote-abuse\/","title":{"rendered":"Detecting OneNote Abuse"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Detecting OneNote <span class=\"blue-text\">Abuse<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Attack Detection                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Endpoint Security                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                01 February, 2023                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/detecting-onenote-abuse\/&#038;title=Detecting%20OneNote%20Abuse\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Share on Linkedin\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Detecting OneNote Abuse&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/detecting-onenote-abuse\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Share on Twitter\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_a0542a3f10248edf5b58c29b0ab23eb5\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Riccardo Ancarani<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Jojo O&#8217;Gorman<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n            <\/div>\n<nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                Content navigation            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    Select a section                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/detecting-onenote-abuse\/&#038;title=Detecting%20OneNote%20Abuse\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Share on Linkedin\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Detecting OneNote Abuse&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/detecting-onenote-abuse\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Share on Twitter\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <h2>Introduction<\/h2>\n<p>OneNote is a software part of the Office suite, commonly used within most organisations for note-keeping, task management and more. In the last year, OneNote gained more attention from a security perspective, mostly thanks to the <a href=\"https:\/\/blog.sevagas.com\/?RedTeam-With-OneNote\" target=\"_blank\" rel=\"noopener\">research paper published by Emeric Nasi<\/a>.  In fact, OneNote\u2019s .one file presented various characteristics that are potentially interesting from an attacker\u2019s perspective. Specifically, the ability to attach files in existing OneNote notebooks that victims can execute with minimal warnings was of interest. This was particularly relevant as attackers were shifting their techniques towards a heavy containerization of their initial access payloads, to either avoid security features such as Mark of the Web (MOTW) or evade sandboxing.<\/p>\n<p>Moreover, Emeric Nasi found in his research that OneNote did not propagate MOTW on its attachments. This meant that attackers could, for example, embed unsigned executables and not being subject to SmartScreen or even better, attach macro-enabled documents and avoid the restriction that Microsoft recently put in place.<\/p>\n<p>This post will discuss various abuse cases associated with the OneNote file formats and their respective detection strategies. The examples shown were re-created by WithSecure and detonated in a controlled environment with various monitoring tools, such as ProcMon and Sysmon configured with Florian Roth\u2019s <a href=\"https:\/\/github.com\/Neo23x0\/sysmon-config\" target=\"_blank\" rel=\"noopener\">recommended settings<\/a><\/p>\n<h2>Silent Patch and Mark Of The Web<\/h2>\n<p>As of 18\/01\/2023, WithSecure observed that the ability to bypass MOTW for attachments within .one notebooks was patched, and therefore all the attachments that OneNote will write on disk will have MOTW by default, even if the .one file does not come from the internet.<\/p>\n<p>The figure below is taken from ProcMon and shows the OneNote.exe process appending the MOTW on the created file:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/picture1.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>This greatly decreases the risk associated with .one files, but does not completely eliminate it.  The rest of the post will describe various abuse-cases and possible detection opportunities.<\/p>\n<h2>Case 1 &#8211; Executable Attachment<\/h2>\n<p>Attackers can still embed executables in OneNote sections and lure users to execute them with various pretexts. When double clicking an attachment, OneNote will warn the user with the following message:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/picture2.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>If the user confirms, the executable will be written on disk and then executed. We can observe it from Sysmon event ID 11:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/picture3.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>As we can see from the image above, the file is written in OneNote\u2019s temporary directory, %TEMP%\\OneNote\\16.0\\Exported.<\/p>\n<p>Additionally, if the user ticks or has ticked previously the box \u201cDon\u2019t show me this again\u201d the following registry key will be created:<\/p>\n<p>HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Office\\16.0\\OneNote\\Options\\EmbeddedFileOpenOptions with a DWORD key named EmbeddedFileOpenWarningDisabled set to 1. A value of zero would revert it back to the normal setting. If the value is 1, however, OneNote will still display the warning but with a slightly different message:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/picture4.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>It must be noted that this setting applies to all the notebooks opened from the machine were the registry key is present. The message above will appear when executing potentially dangerous files, but will automatically open the attachment in case of \u201csafer\u201d content such as office documents.<\/p>\n<h2>Detection<\/h2>\n<p>From a detection perspective, it would be possible to look for file write events where the target path matches the OneNote directory mentioned above. A first approach would be to look only for specific file extensions as it could easily lead to a concerning amount of false positives.<\/p>\n<p>To even refine the detection, it would be possible to look for executable content dropped by OneNote.exe after a .one file is downloaded from the internet. This is possible by using Sysmon event ID 15 (file stream created). As shown below, we can see that an ADS associated with MOTW is created after the .one file is downloaded form an external source:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/picture5.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>One thing to note (no pun intended) is that the integer after the NT part of the path is an incremental value that changes depending on how many attachments the user clicks from the same OneNote file; therefore that value should be considered non-static for detection engineering purposes.<\/p>\n<h2>Prevention<\/h2>\n<p>This type of abuse can be prevented using different strategies:<\/p>\n<ul>\n<li>By deploying application control and therefore blocking unsigned EXEs from being executed<\/li>\n<li>By enabling Attack Surface Reduction with the rule \u201cBlocking Office applications from creating child processes\u201d<\/li>\n<\/ul>\n<p>Both solution present problems, for instance application control can be easily bypassed if not properly configured and some LOLBins will almost certainly be allowed.<\/p>\n<p>The ASR configuration might be impractical to enforce across an estate of a considerable size, but most importantly there are LOLBins that will bypass this rule, such as <a href=\"https:\/\/lolbas-project.github.io\/lolbas\/Binaries\/Explorer\/\" target=\"_blank\" rel=\"noopener\">explorer<\/a>.<\/p>\n<p>An experiment was also made by leveraging Sysmon\u2019s 14.0\u2019s FileBlockExecutable rule, so that the OneNote.exe process cannot write executable content on disk. A snippet of a Sysmon configuration file that implements the prevention mechanism can be found below:<\/p>\n<p>However, due to unknown reasons, the rule above never triggered when OneNote dropped executable files on disk. This might berelated to some of the <a href=\"https:\/\/www.huntandhackett.com\/blog\/bypassing-sysmon\" target=\"_blank\" rel=\"noopener\">known limitations<\/a> of this capability. It is therefore recommended not to rely on this to protect against this particular use-case.<\/p>\n<h2>Case 2 &#8211; Living-off-the-Land Binaries and LNKs<\/h2>\n<p>Another common abuse case that was observed being used in the wild consisted in attaching content to a OneNote section that, by default, will be executed with a LOLBin. Examples of this can be HTA, CHM, CPL, XLL or LNK files.<\/p>\n<p>For this scenario, we will start by detonating an XLL file that was attached in a .one container and obtain the following:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/picture6.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>By enabling the add-in, we would then observe the following events:<\/p>\n<ul>\n<li>Process creation of a process with the current directory being set to the OneNote temporary directory and a command line with the same folder in it. The parent process would be OneNote.exe<\/li>\n<\/ul>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/picture7.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<ul>\n<li>Module Load event where the Image path contains \u201cOneNote\\16.0\\Exported\u201d<\/li>\n<\/ul>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/picture8.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h2>Detection<\/h2>\n<p>Considering the variety of LOLBins and the huge difference in their behaviour, it seems that the most reliable strategy is to look for OneNote.exe spawning child processes that are also LOLbins. This obviously presents a challenge as many LOLBin-like programs (such as all the Office products) are likely being used legitimately most of the time. Analysis of the command line is therefore needed to cover edge cases, such as the one presented by the XLL file.<\/p>\n<h2>Case 3 &#8211; RTLO Spoofing<\/h2>\n<p>Another interesting edge-case is when the attackers spoof the extension of the file using the Right-to-Left Override (RTLO) technique (<a href=\"https:\/\/blog.sevagas.com\/?Bypass-Defender-and-other-thoughts-on-Unicode-RTLO-attacks\" target=\"_blank\" rel=\"noopener\">https:\/\/blog.sevagas.com\/?Bypass-Defender-and-other-thoughts-on-Unicode-RTLO-attacks<\/a>). In this case, despite the process-tree will remain the same, the file name found in the file-write event might not reflect the actual content of the dropped file.<\/p>\n<p>The example below shows the creation of an HTA file with a spoofed extension to make it look like a PNG:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/picture9.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h2>Detection<\/h2>\n<p>Despite there are no trivial ways of detecting this specific behaviour, the parent-child process relationship will remain the same and therefore the considerations made in the previous sections should still apply.<\/p>\n<h2>Case 4 &#8211; Maldoc Attachment<\/h2>\n<p>Despite the MOTW patch now prevents documents that were embedded in a .one section to have unsigned macros, it is possible to imagine that attackers will:<\/p>\n<ul>\n<li>Sign their macro<\/li>\n<li>Find a MOTW bypass<\/li>\n<\/ul>\n<p>It is therefore recommended to pay particular attention to module load events of VBE7.dll from files that were written in the OneNote temporary folder<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/picture10.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<h2>Other Detection Methods<\/h2>\n<h2>Static Scanning<\/h2>\n<p>From empirical experiments, it appeared that OneNote files are not being parsed correctly by various security solutions. That, combined with the fact that .one files are not part of the Outlook attachment blacklist are making .one files appealing for attackers.<\/p>\n<p>From what it was possible to observe, without digging into the OneNote file format, all the embedded attachments are simply appended within the .one file.<\/p>\n<p>The figure below shows the header of an embedded EXE that was attached for testing:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/picture11.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>All the YARA-based detection should still apply and be effective against .one files. If OneNote files were part of some allow-list, it would be recommended to remove it. A simple test consists in embedding a known-malicious payload, such as Mimikatz, and applying the yara rule against the .one file:<\/p>\n<p>Despite not realistic, this shows that the attachments within OneNote files have no built-in compression or obfuscation.<\/p>\n<h2>Sequential Containerisation<\/h2>\n<p>As it became obvious from most of the recent initial-access campaigns spotted in the wild, attackers tend to pack their malware in multiple containers, such as ZIP files or ISOs. Now that OneNote files are gaining traction, it is expected to see TAs packaging .one within other containers or vice-versa, creating endless \u2013 and sometime useless \u2013 chains that someone will eventually end up posting on Twitter.<\/p>\n<p>OneNote Packages (.onepkg)<\/p>\n<p>OneNote offers the ability to export an entire notebook in a packaged file with the extension of .onepkg. The figure below shows the export of an entire notebook in the .onepkg format:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/picture12.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>When the file is double-clicked, the user will be presented a file browser windows to decide where to store the packaged .one files. Once the file is saved, OneNote will open it automatically and display its content.<\/p>\n<p>From an attacker\u2019s point of view, despite .onepkg files are not extremely common to see being shared, they could potentially evade some static scanning detections. This is due to the fact that the embedded .one files are not simply appended similarly to what we saw before, but packaged in CAB file.<\/p>\n<p>If we inspect the header of the .onepkg, we can see that the magic bytes \u201cMSCF\u201d correspond to a CAB file:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/picture13.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>If we extract its content with the \u201cexpand\u201d utility:<\/p>\n<p>We can then see that another onepkg file was extracted, this time displaying the entire content of its attachments as shown with the classic .one files.<\/p>\n<p>From a defense perspective the previous recommendations apply, it is however recommended to block the download of .onepkg files as well.<\/p>\n<h2>Abuse in the Wild<\/h2>\n<p>As mentioned before, OneNote is being abused more frequently by threat actors. An example of campaign that leveraged the RTLO technique described in this post was analysed in great details by the researchers at SpiderLabs in their post <a href=\"https:\/\/www.trustwave.com\/en-us\/resources\/blogs\/spiderlabs-blog\/trojanized-onenote-document-leads-to-formbook-malware\/\" target=\"_blank\" rel=\"noopener\">Trojanized OneNote Document Leads to Formbook Malware<\/a>.<\/p>\n<p>Other, and more recent, evidence of abuse of OneNote were also highlighted from the Perception Point Attack Trends researchers:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/picture14.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>The analysed sample, alongside other similar one downloaded from VirusTotal, showed that at the moment the preferred technique is to embed some sort of script, either a VBS or an HTA file. This is useful for defenders as it give a priority to what techniques to look for.<\/p>\n<p>For example, on the sample mentioned above, by leveraging the <a href=\"https:\/\/github.com\/knight0x07\/OneNoteAnalyzer\/releases\/tag\/OneNoteAnalyzer\" target=\"_blank\" rel=\"noopener\">OneNoteAnalyzer<\/a> tool by knight0x07 we can extract the HTA attachment:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/picture15.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>In this case the sample was using the RTLO technique as well, and we can see that the execution method chosen by the attacker was using PowerShell launched via WMI:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/picture16.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>The sample was also downloading a decoy .one from the internet, probably to show some content to the victim without raising suspicion. Note that the available analysers cannot parse .onepkg files yet, so they might have to be manually unpacked first.<\/p>\n<p>Another, apparently common,  technique that is being used in the wild consists in utilising images in front of attachments to avoid user suspicion.<\/p>\n<p>In a nutshell, if you put an image in front an attachment, and the victim clicks on the image, OneNote will attempt to start the attachment in the background.<\/p>\n<p>This strategy is not something new, and was initially used in the sample shared by <a href=\"https:\/\/www.trustwave.com\/en-us\/resources\/blogs\/spiderlabs-blog\/trojanized-onenote-document-leads-to-formbook-malware\/\" target=\"_blank\" rel=\"noopener\">SpiderLabs<\/a>. A more recent sample was <a href=\"https:\/\/twitter.com\/nosecurething\/status\/1617598720048263168\" target=\"_blank\" rel=\"noopener\">shared on Twitter<\/a>. WithSecure analysed it in their malware analysis lab and confirmed that the same technique was used, as it can be seen in the image below:<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/2023-01-23-22-34-35-f-secure-playground-mozilla-firefox.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Identifying this doesn&#x27;t really require a lot of effort, as it requires only to move the image and that would reveal all the attachments. Interestingly enough, the attachments are &quot;duplicated&quot; to cover the entire image, doing so would trigger the attachment open regardless of where the user clicks on the lure image.<\/p>\n<p>Despite the analysed techniques are relatively straightforward, it is expected that complexity will be introduced by adversaries in these types of payloads.<\/p>\n<h2>Conclusions<\/h2>\n<p>In this post we analysed the various aspects of the abuse of the OneNote format, how it can be used from an attacker perspective and what trace it leaves on systems when a successful exploitation is achieved. The following key points summarise the recommended remedial actions:<\/p>\n<ul>\n<li>If possible, block direct download of one and onepkg files at the proxy level<\/li>\n<li>If possible, block .one and .onepkg mail attachments<\/li>\n<li>Monitor the operations of the OneNote.exe process, especially when a .one file is downloaded from the internet<\/li>\n<li>Pay particular attention to process creation events associated with common LOLBins<\/li>\n<li>File write operations should also be monitored closely<\/li>\n<\/ul>\n<p>Blocking the .one and .onepkg files from being downloaded will not be sufficient, as attackers can utilise techniques such as HTML smuggling and other containerisation mechanisms to avoid perimeter controls.<\/p>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/detecting-onenote-abuse\/&#038;title=Detecting%20OneNote%20Abuse\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Share on Linkedin\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Detecting OneNote Abuse&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/detecting-onenote-abuse\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Share on Twitter\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">GREYVIBE: A Russia-nexus group leveraging AI across state-aligned operations<\/h3>\n                                    <p class=\"wp-component-card-insight__read-time\">15<\/p>\n                                    <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/greyvibe\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                            <h3 class=\"wp-component-card-insight__title\">WithSecure uncovers Russia-nexus threat group using AI to target Ukraine and European organisations<\/h3>\n                                                    <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/10919\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Source: https:\/\/labs.withsecure.com\/publications\/darkgate-rises<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/darkgate-rises\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>OneNote is a software part of the Office suite, commonly used within most organisations for note-keeping, task management and more. <\/p>\n","protected":false},"author":3,"featured_media":8857,"template":"","categories":[240,239],"labs_content_type":[296],"class_list":["post-7980","lab_item","type-lab_item","status-publish","has-post-thumbnail","hentry","category-attack-detection","category-endpoint-security"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_news.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_news.jpg 1200w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_news-300x200.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_news-1024x683.jpg 1024w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_news-768x512.jpg 768w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_news-447x298.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_news-219x146.jpg 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Endpoint Security<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Detecting OneNote Abuse<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">OneNote is a software part of the Office suite, commonly used within most organisations for note-keeping, task management and more. <\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/detecting-onenote-abuse\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/lab_item\/7980","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/users\/3"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/media\/8857"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/media?parent=7980"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/categories?post=7980"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/labs_content_type?post=7980"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}