Criminals are spreading QakBot via OneNote files – How to protect yourself
Since the end of 2018, we have been propagating an all-allowlisting approach in conjunction with well thought-out attachment management. As with a firewall, the lowest rule in the content filter consists of a so-called “any-any-drop rule”. This defines a few well-defined formats required by the company, which are allowed as attachments via email. All the rest – and especially the unknown part – is not. If you have already implemented this for your company, you have done everything right. Everyone else should urgently think about putting this on the agenda. In the following, we will use two examples to show how sensible this implementation is.
From the Swiss army knife for archives…
Your company has probably already had the requirement to create and unpack encrypted ZIP archives. Since this is not possible with the on-board tools of Windows, you quickly end up with tools such as 7z, WinZip or WinRAR, which you then roll out on all desktops. At the same time, you have suddenly brought support for a multitude of exotic archiving formats into your house through the back door.
Since you follow a blocklisting approach, you have certainly blocked the new and possibly unwanted formats for your company in the content filter. Right? RAR archives, for example, are very popular with spammers. Have you then also put them on the block list? And what about “.r23” or “.r42“, which can also be opened with the new tools. Or did you have ARJ and ARC on your radar? With an allowlisting approach, you don’t even have to try to catch all these new formats in the content filter again, because you have already automatically banned everything that is not allowed.
… to Microsoft OneNote notebooks including QakBot
In mid-January, there was a strong recommendation on Twitter to add “.one” to its blocklist. Most companies with Windows have certainly rolled out Microsoft OneNote on all desktops:
Source: Twitter
Since January 31, 2023, QakBot has become increasingly active again and has not only renounced HTML smuggling, but has also jumped on the bandwagon with Microsoft OneNote notebooks. This format is currently being used by various threat actors to distribute malicious code via email. Customers with an allowlisting approach have most likely not noticed this at all.
As usual, these QakBot emails are highly effective in their social engineering effect as email reply chain attacks, since the fake reply including OneNote notebook takes place as a reaction to a real communication and the alleged communication partner is usually also very well known.
With a simple ‘string’ you can still recognise the social engineering trick in the first OneNote notebooks, with which users are asked to execute the embedded “attachment.hta”. For detection of the sample, see VirusTotal. With QakBot the alarm bells should ring for increased attention at the latest.
Content filter for handling direct OneNote attachments
The content filter in NoSpamProxy can be used to filter OneNote attachments easily.
Select “General binary file” as the file type and restrict the file name to the pattern “*.one”.
In the actions, they then ideally select the option to reject the entire email. Alternatively, the OneNote attachments can be moved to the NoSpamProxy Web Portal or removed from the email.
Recommendations for the switch to an allowlisting approach
As part of a change management process, you can use NoSpamProxy Disclaimer, for example, to inform your partners and customers in advance about the upcoming changes in content filtering. Some NoSpamProxy customers already inform about the allowed attachment formats on their website under “Imprint/Contact” . This is a good way to document something like this for new partners and customers. Then they do not have to learn what is allowed and what is not in a trial-and-error process.
Outlook
Spammers will probably discover other file formats for sending malicious code this year – especially since Microsoft has been slowly putting a stop to Office macros since last year.
However, in order to finally move away from a reactive approach in this game and finally bring some proactivity into one’s own actions, one should consider an allowlisting approach in an intelligent attachment management.
You would like to protect yourself from QuakBot and are not yet using NoSpamProxy?
With NoSpamProxy you can reliably protect your company against cyber attacks. Request your free trial version now!
