Phishing Emails with OneNote Attachments Used to Disseminate RATs

Microsoft® Windows OS
Advisory ID:
January 24, 2023


A new method of delivering Remote Access Trojans (RATs) has been discovered using Microsoft OneNote attachments (these use ‘.one’ as an extension). Since the ubiquitous use of malicious Word or Excel documents is now easily identified by users, threat actors are resorting to other means in order to fool unsuspecting victims into downloading malicious files. Microsoft OneNote is a free note-taking software that can either be downloaded online or is included as part of Microsoft’s Office suite of applications.

Description & Consequence

These are delivered via phishing emails disguised as DHL shipping mails, invoices, ACH remittance forms, and so on. When the intended victim downloads the OneNote attachment, a malicious attachment in the form of a "notebook" is included. Threat actors place a "Double Click To View" banner over the notebook in order to load the attachment. When you click, the system will warn you about the dangers of opening attachments that could harm your system or data. Users usually ignore these, and if they click 'OK,' a RAT is downloaded from a C2 and installed. The Quasar RAT, AsyncRAT, and XWorm RAT are among the RATs being downloaded. 

RATs are among the most dangerous subset of Trojans and can be used to deliver other malware payloads, steal passwords and other personally-identifiable information (PII), and generally gain access to a compromised account to perform actions like taking screenshots and record using webcam and microphone.


In order to be better prepared to counter phishing attacks such as this:

  1. Install a reputable anti-malware solution with a strong internet security component. Also, keep anti-malware solution up-to-date.
  2. Always ensure that your web browser is updated to the latest version.
  3. Cybersecurity awareness for staff; especially on phishing techniques.
  4. Do not click on arbitrary attachments!



Related Articles