Emotet is back: Microsoft OneNote is not a safe place anymore

Eray Eliaçik
Mar 22, 2023

Emotet is back and ready to strike via Microsoft OneNote email attachments. The Emotet threat, associated with the Gold Crestwood, Mummy Spider, or TA542 threat actor, remains active and resilient despite law enforcement's best efforts to counter it.

It was originally a derivative of the Cridex banking worm but has since evolved into a monetized platform for other threat actors to run malicious campaigns on a pay-per-install (PPI) model, allowing theft of sensitive data and ransom extortion.

Emotet is back and spreading with Microsoft OneNote attachments

After a brief absence, the notorious Emotet malware has returned, this time spreading through Microsoft OneNote email attachments in an effort to bypass macro-based security restrictions and compromise systems. Especially if you work in manufacturing, high-tech, telecom, finance, and energy emerging sectors, you should be extra careful.

The dropper malware is commonly distributed through spam emails containing malicious attachments, but as Microsoft has taken steps to block macros in downloaded Office files, OneNote attachments have emerged as an appealing alternative. Malwarebytes disclosed that the OneNote file is simple yet effective at social engineering users with a fake notification stating that the document is protected. When instructed to double-click on the "View" button, victims inadvertently double-click on an embedded script file instead. The Windows Script File (WSF) is then engineered to retrieve and execute the Emotet binary payload from a remote server.

These documents have been observed to leverage a technique called decompression bomb to conceal a very large file (over 550 MB) within ZIP archive attachments to fly under the radar.

How to protect yourself from Emotet?

By understanding how Emotet operates, you've taken the first step toward protecting yourself and your users from it. Extra measures include:

  • Always use the most recent patches for Microsoft Windows on your computers and other endpoints. To prevent cybercriminals from taking advantage of the Windows EternalBlue vulnerability, which is used by TrickBot when it is delivered as a secondary Emotet payload, the vulnerability must be patched.
  • Never open an unknown attachment or visit an unfamiliar URL. If you don't open suspicious emails, Emotet won't be able to gain access to your computer or network.
  • Password security is important; learn how to make secure ones and switch to two-factor authentication.
  • With a comprehensive cybersecurity program that features multiple layers of protection, you can protect yourself against Emotet.

Do you want to check whether your PC is infected with the Emotet malware? Click here and learn how to check it.


Previous Post: «
Next Post: «


There are no comments on this post yet, be the first one to share your thoughts!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.