Microsoft OneNote, Evernote Phishing Attacks Are Threat To MSPs

‘The OneNote attack vector involves an attached document while the Evernote attack is a social engineering attack that comes directly from the Evernnote domain,’ says CNWR President Jason Slagle. ‘These are two different, but both very effective attack vectors. We see attacks like this all the time. It is constant.’

Phishing attacks that leverage Microsoft OneNote and Evernote are a potential threat to MSPs, warned threat researchers Wednesday.

Threat researcher Blackpoint Cyber warned that it is has observed several attack attempts using the Microsoft OneNote note taking application.

ATTN: The Blackpoint SOC advises partners to block .one attachments in their email filter. We have observed several attempts at initial access using ONENOTE. Our SOC has seen indicators of compromise (IoCs) and has taken action to mitigate the threats before spread was observed.

— Blackpoint Cyber (@BlackpointUS) February 1, 2023

[RELATED: Microsoft Really Wants People To Patch Their Exchange Servers]

At the same time, global threat intelligence provider Cyble warned that threat actors are leveraging Microsoft OneNote to infect users.

“Recently, several malware families have been spotted using OneNote attachments in their spam campaigns,” warned Cyble in a blog post. “OneNote is a powerful digital notebook tool offered by Microsoft. It provides users with a centralized location to store their thoughts, ideas, and notes in an organized manner.”

Threat researcher Huntress, meanwhile, warned that is seeing phishing attacks from the Evernote domain, according to CEO Kyle Hanslovan.

Just receive a Microsoft 365 login phish hosted on the legit Evernote domain. Came from a compromised regional account director in the channel and included 148 other major vendors and MSPs/MSSPs.

Statistically, someone on that list is going to fall for this. FML 🤦‍♀️ pic.twitter.com/qSajcik101

— Kyle Hanslovan (@KyleHanslovan) February 1, 2023

CRN reached out to Microsoft and Evernote for a response to the phishing attack but had not heard back at press time.

Both Attacks Are Distinct

Jason Slagle, president of CNWR, a Toledo, Ohio, MSP, said the two phishing attacks are distinct.

“The OneNote attack vector involves an attached document while the Evernote attack is a social engineering attack that comes directly from the Evernnote domain,” he said “These are two different, but both very effective attack vectors. We see attacks like this all the time . It is constant.”

Slagle said the constant attacks force MSPs to always be on guard and to in effect play “whack-a-mole,” knocking back one threat after another.

“There is always money in the banana stand,” joked Slagle referring to a running gag from the “Arrested Development” TV show. “Somedays it does not pay to be an MSP.”

Key to keeping customers safe from attacks is staying on top of the latest threat intelligence, said Slagle. “It pays to follow Kyle and the Huntress team, Blackpoint, CompTIA threat analysts and other threat researchers,” he said.

“These phishing attacks are threats to all of us,” said Slagle. “MSPs continue to be very rich targets because we are a force multiplier for those threat actors. The threat actors are finding new and more creative ways to engage in social engineering attacks.”

The use of legitimate domains that pass email filters continue to be an avenue that MSPs need to be aware of, said Slagle.

As for the impact of the current attacks, Slagle said he and his customers do not use Evernote and use OneNote sparingly.

“We use good credential separation and good conditional access policies which limits our exposure to these threats,” he said. “The biggest issue is providing security awareness training.”

Phising Attacks Are Always A Problem

David Stinner, founder and president of US itek, a Buffalo, N.Y.-based MSP, said phishing attacks are always a problem for MSPs

“Uneducated users are going to be duped from time to time,” he said. “You need to educated users not to click on unknown links. You also need a solid protection plan. We have a robust end user training platform called Breach Secure Now which pushes out weekly training to our users. You need to put the threat of phishing attacks every week.”

US itek also uses allowlisting, which has prevented these types of phishing attacks at its end user sites, said Stinner. “We train our customers over and over not to click on links when they don’t know the sender or when they are not expecting an mail,” he said. “As an MSP you can never tell your client enough times to be aware of these threats.”

Additional Reporting by CRN Associate Editor C.J. Fairfield