{
	"id": "c2d1055c-d3d0-4b8b-8bfb-15fb7e837cdf",
	"created_at": "2026-04-06T00:09:16.412339Z",
	"updated_at": "2026-04-10T03:21:09.421407Z",
	"deleted_at": null,
	"sha1_hash": "88dfa8d33a9ea5e11f03b2a61d1b5a24182763ea",
	"title": "Emotet resumes spam operations, switches to OneNote",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2428175,
	"plain_text": "Emotet resumes spam operations, switches to OneNote\r\nBy Edmund Brumaghin\r\nPublished: 2023-03-22 · Archived: 2026-04-05 13:21:38 UTC\r\nWednesday, March 22, 2023 15:41\r\nEmotet resumed spamming operations on March 7, 2023, after a months-long hiatus.\r\nInitially leveraging heavily padded Microsoft Word documents to attempt to evade sandbox analysis and\r\nendpoint protection, the botnets switched to distributing malicious OneNote documents on March 16.\r\nSince returning, Emotet has leveraged several distinct infection chains, indicating that they are modifying\r\ntheir approach based on their perceived success in infecting new systems.\r\nThe initial emails delivered to victims are consistent with what has been observed from Emotet over the\r\npast several years.\r\nInitial campaign\r\nFollowing its initial return to spamming operations, Emotet was leveraging heavily padded Microsoft Word\r\ndocuments in an attempt to evade detection. By leveraging a large number of inconsequential bytes in their\r\ndocuments, they could increase the size of the documents to surpass the maximum file size restrictions that\r\nautomated analysis platforms like sandboxes and anti-virus scanning engines enforce.\r\nThe initial emails were consistent with what has been commonly observed from Emotet in recent years. They\r\ntypically contained an attached ZIP archive containing a Microsoft Word document. An example of one such\r\nemail is shown below.\r\nhttps://blog.talosintelligence.com/emotet-switches-to-onenote/\r\nPage 1 of 11\n\nWhile the ZIP archives are often small, in some cases only ~646KB, the Microsoft Word document when fully\r\nextracted was ~500MB in size.\r\nThe document included a large number of 0x00 bytes, a technique commonly referred to as “padding.”\r\nhttps://blog.talosintelligence.com/emotet-switches-to-onenote/\r\nPage 2 of 11\n\nSome of the documents also featured excerpts from the classic novel “Moby Dick,” another attempt to increase the\r\nsize of the documents for evasion purposes.\r\nThe Office documents featured templates consistent with those used by Emotet in the past, as shown below.\r\nhttps://blog.talosintelligence.com/emotet-switches-to-onenote/\r\nPage 3 of 11\n\nThe Word documents in this campaign contained malicious VBA macros that, when executed, functioned as a\r\nmalware downloader, retrieving the Emotet payload from attacker-controlled distribution servers and infecting\r\nsystems, thus adding them to the Emotet botnets.\r\nhttps://blog.talosintelligence.com/emotet-switches-to-onenote/\r\nPage 4 of 11\n\nEmotet shifts to OneNote\r\nMicrosoft recently deployed new security mechanisms around protecting endpoints from macro-based malware\r\ninfections, which resulted in various threat actors moving away from Office document-based malspam campaigns.\r\nIn many cases, these malware distribution campaigns switched to distributing OneNote documents instead, likely\r\nas a result of decreased infections and lower success rates. Emotet is no different — shortly after their return to\r\nspamming operations on March 16, 2023, they began distributing OneNote files, as well.\r\nIn one example, the sender purported to be from the U.S. Internal Revenue Service (IRS) and requested that the\r\nrecipient complete the attached form.\r\nhttps://blog.talosintelligence.com/emotet-switches-to-onenote/\r\nPage 5 of 11\n\nThe attached OneNote document featured templates similar to what has been observed in other Office document\r\nformats over the past several years, prompting the user to click inside the document to view the file.\r\nhttps://blog.talosintelligence.com/emotet-switches-to-onenote/\r\nPage 6 of 11\n\nWhen clicked, an embedded WSF script linked behind the view button containing malicious VBScript code is\r\nexecuted.\r\nhttps://blog.talosintelligence.com/emotet-switches-to-onenote/\r\nPage 7 of 11\n\nThis VBScript downloader is responsible for retrieving the Emotet malware payload from an attacker-controlled\r\nserver and infecting the system.\r\nMore recently, the embedded object inside of the OneNote files contained JavaScript instead of VBScript but\r\noffered the same functionality within the infection chain.\r\nhttps://blog.talosintelligence.com/emotet-switches-to-onenote/\r\nPage 8 of 11\n\nHovering over the next button indicates that an object called “Object1.js” will execute when the button is clicked.\r\nThis is because the attacker has embedded a clickable object behind the lure image as shown below.\r\nhttps://blog.talosintelligence.com/emotet-switches-to-onenote/\r\nPage 9 of 11\n\nThis object is a heavily obfuscated JavaScript downloader responsible for retrieving and executing the Emotet\r\npayload on the system. A snippet from the obfuscated downloader is shown below.\r\nIn a relatively short period, Emotet has modified its infection chain several times to maximize the likelihood of\r\nsuccessfully infecting victims.\r\nIndicators of Compromise\r\nIndicators of compromise (IOCs) associated with ongoing Emotet campaigns can be found here.\r\nCoverage\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device.\r\nhttps://blog.talosintelligence.com/emotet-switches-to-onenote/\r\nPage 10 of 11\n\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nTalos created the following coverage for this threat.\r\nSnort SIDs:\r\n51967-51971, 43890-43892, 44559, 44560, 47327, 47616, 47617, 48402, 49888, 49889, 52029, 53108, 53353-\r\n53360, 53770, 53771, 54804, 54805, 54900, 54901, 54924, 54925, 55253, 55254, 55591, 55592, 55781, 55782,\r\n55787, 55788, 55869, 55870, 55873, 55874, 55929-55931, 56003, 56046, 56047, 56170, 56171, 56528, 56529,\r\n56535, 56536, 56620, 56621, 56656, 56657, 56713, 56714, 56906, 56907, 56924, 56925, 56969, 56970, 56983,\r\n56984, 57901, 58943\r\nClamAV Rules:\r\nOnenote.Dropper.Emotet-9993911-1\r\nOnenote.Dropper.CodPhish-Emotet-9993220-1\r\nOnenote.Trojan.Agent-9987935-0\r\nSource: https://blog.talosintelligence.com/emotet-switches-to-onenote/\r\nhttps://blog.talosintelligence.com/emotet-switches-to-onenote/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/emotet-switches-to-onenote/"
	],
	"report_names": [
		"emotet-switches-to-onenote"
	],
	"threat_actors": [],
	"ts_created_at": 1775434156,
	"ts_updated_at": 1775791269,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/88dfa8d33a9ea5e11f03b2a61d1b5a24182763ea.pdf",
		"text": "https://archive.orkl.eu/88dfa8d33a9ea5e11f03b2a61d1b5a24182763ea.txt",
		"img": "https://archive.orkl.eu/88dfa8d33a9ea5e11f03b2a61d1b5a24182763ea.jpg"
	}
}