{ "id": "fb157634-ef96-4d13-9c2d-8b8ff52095bc", "created_at": "2026-04-06T00:15:23.706308Z", "updated_at": "2026-04-10T03:20:55.491419Z", "deleted_at": null, "sha1_hash": "5abb45e244ab3af049920c6b54d2422c61c8befe", "title": "Emotet malware now distributed in Microsoft OneNote files to evade defenses", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4329549, "plain_text": "Emotet malware now distributed in Microsoft OneNote files to evade\r\ndefenses\r\nBy Lawrence Abrams\r\nPublished: 2023-03-18 · Archived: 2026-04-05 15:24:18 UTC\r\nThe Emotet malware is now distributed using Microsoft OneNote email attachments, aiming to bypass Microsoft security\r\nrestrictions and infect more targets.\r\nEmotet is a notorious malware botnet historically distributed through Microsoft Word and Excel attachments that contain\r\nmalicious macros. If a user opens the attachment and enables macros, a DLL will be downloaded and executed that installs\r\nthe Emotet malware on the device.\r\nOnce loaded, the malware will steal email contacts and email content for use in future spam campaigns. It will also\r\ndownload other payloads that provide initial access to the corporate network.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-now-distributed-in-microsoft-onenote-files-to-evade-defenses/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-now-distributed-in-microsoft-onenote-files-to-evade-defenses/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nThis access is used to conduct cyberattacks against the company, which could include ransomware attacks, data theft, cyber\r\nespionage, and extortion.\r\nWhile Emotet was one of the most distributed malware in the past, over the past year, it would stop and start in spurts,\r\nultimately taking a break towards the end of 2022.\r\nAfter three months of inactivity, the Emotet botnet suddenly turned back on, spewing malicious emails worldwide earlier\r\nthis month.\r\nHowever, this initial campaign was flawed as it continued to use Word and Excel documents with macros. As Microsoft now\r\nautomatically blocks macros in downloaded Word and Excel documents, including those attached to emails, this campaign\r\nwould only infect a few people.\r\nMalicious Emotet Word document used earlier this month\r\nSource: BleepingComputer\r\nDue to this, BleepingComputer predicted that Emotet would switch to Microsoft OneNote files, which have become a\r\npopular method for distributing malware after Microsoft began blocking macros.\r\nEmotet switches to Microsoft OneNote\r\nAs predicted, in an Emotet spam campaign first spotted by security researcher abel, the threat actors have now begun\r\ndistributing the Emotet malware using malicious Microsoft OneNote attachments.\r\nThese attachments are distributed in reply-chain emails that impersonate guides, how-tos, invoices, job references, and\r\nmore.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-now-distributed-in-microsoft-onenote-files-to-evade-defenses/\r\nPage 3 of 7\n\nEmotet spam email\r\nSource: BleepingComputer\r\nAttached to the email are Microsoft OneNote documents that display a message stating that the document is protected. It\r\nthen prompts you to double-click the 'View' button to display the document properly.\r\nMalicious Microsoft OneNote attachment\r\nSource: BleepingComputer\r\nMicrosoft OneNote allows you to create documents that contain design elements that overlay an embedded document.\r\nHowever, when you double-click on the location where the embedded file is located, even if there is a design element over\r\nit, the file will be launched.\r\nIn this Emotet malware campaign, the threat actors have hidden a malicious VBScript file called 'click.wsf' underneath the\r\n\"View\" button, as shown below.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-now-distributed-in-microsoft-onenote-files-to-evade-defenses/\r\nPage 4 of 7\n\nHidden click.wsf file in the Microsoft OneNote document\r\nSource: BleepingComputer\r\nThis VBScript contains a heavily obfuscated script that downloads a DLL from a remote, likely compromised, website and\r\nthen executes it.\r\nMalicious click.wsf VBScript file\r\nSource: BleepingComputer\r\nWhile Microsoft OneNote will display a warning when a user attempts to launch an embedded file in OneNote, history has\r\nshown us that many users commonly click 'OK' buttons to get rid of the alert.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-now-distributed-in-microsoft-onenote-files-to-evade-defenses/\r\nPage 5 of 7\n\nWarning when opening a file embedded in Microsoft OneNote \r\nSource: BleepingComputer\r\nIf the user clicks on the OK button, the embedded click.wsf VBScript file will be executed using WScript.exe from\r\nOneNote's Temp folder, which will likely be different for each user:\r\n\"%Temp%\\OneNote\\16.0\\Exported\\{E2124F1B-FFEA-4F6E-AD1C-F70780DF3667}\\NT\\0\\click.wsf\"\r\nThe script will then download the Emotet malware as a DLL [VirusTotal] and store it in the same Temp folder. It will then\r\nlaunch the random named DLL using regsvr32.exe.\r\nEmotet will now quietly run on the device, stealing email, contacts, and awaiting further commands from the command and\r\ncontrol server.\r\nWhile it is not known what payloads this campaign ultimately drops, it commonly leads to Cobalt Strike or other malware\r\nbeing installed.\r\nThese payloads allow threat actors working with Emotet to gain access to the device and use it as a springboard to spread\r\nfurther in the network.\r\nBlocking malicious Microsoft OneNote documents\r\nMicrosoft OneNote has become a massive malware distribution problem, with multiple malware campaigns using these\r\nattachments.\r\nDue to this, Microsoft will be adding improved protections in OneNote against phishing documents, but there is no specific\r\ntimeline for when this will be available to everyone.\r\nHowever, Windows admins can configure group policies to protect against malicious Microsoft OneNote files.\r\nAdmins can use these group policies to either block embedded files in Microsoft OneNote altogether or allow you to specify\r\nspecific file extensions that should be blocked from running.\r\nAll file attachments are blocked in Microsoft OneNote\r\nSource: BleepingComputer\r\nYou can read more about the available group policies in a dedicated article BleepingComputer wrote earlier this month.\r\nIt is strongly suggested that Windows admins utilize one of these options until Microsoft adds further protections to\r\nOneNote.\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-now-distributed-in-microsoft-onenote-files-to-evade-defenses/\r\nPage 6 of 7\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/emotet-malware-now-distributed-in-microsoft-onenote-files-to-evade-defenses/\r\nhttps://www.bleepingcomputer.com/news/security/emotet-malware-now-distributed-in-microsoft-onenote-files-to-evade-defenses/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/emotet-malware-now-distributed-in-microsoft-onenote-files-to-evade-defenses/" ], "report_names": [ "emotet-malware-now-distributed-in-microsoft-onenote-files-to-evade-defenses" ], "threat_actors": [], "ts_created_at": 1775434523, "ts_updated_at": 1775791255, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5abb45e244ab3af049920c6b54d2422c61c8befe.pdf", "text": "https://archive.orkl.eu/5abb45e244ab3af049920c6b54d2422c61c8befe.txt", "img": "https://archive.orkl.eu/5abb45e244ab3af049920c6b54d2422c61c8befe.jpg" } }