• Rss
  • LinkedIn
  • Youtube
  • Twitter
  • Instagram
  • English English English en
  • Deutsch Deutsch German de
Sales: +49 5251 304-800 | Support: +49 5251 304-636
NoSpamProxy
  • HOME
  • PRODUCT
    • NoSpamProxy Cloud
    • NoSpamProxy Protection
    • NoSpamProxy Encryption
    • NoSpamProxy Large Files
    • NoSpamProxy Disclaimer
  • SUPPORT
    • Knowledge Base
    • Forum
    • Training courses
    • Support Request
    • Software-Download
    • Resources
  • PARTNERS
    • Finding Resellers
    • Becoming Reseller
    • Partner Portal
  • COMPANY
    • Team
    • Testimonials
    • Career
    • Contact
  • EVENTS
    • Events
    • Webcast Training
  • BLOG
  • FREE TRIAL VERSION
    • Price request
    • Free trial version
  • English
    • Deutsch
  • Search
  • Menu Menu
  • QakBot OneNote Dateien

Criminals are spreading QakBot via OneNote files – How to protect yourself

Author: Micha PekrulSaaS Platform Managerhttps://www.linkedin.com/in/micha-pekrul/–Connect on LinkedIn

Since the end of 2018, we have been propagating an all-allowlisting approach in conjunction with well thought-out attachment management. As with a firewall, the lowest rule in the content filter consists of a so-called “any-any-drop rule”. This defines a few well-defined formats required by the company, which are allowed as attachments via email. All the rest – and especially the unknown part – is not. If you have already implemented this for your company, you have done everything right. Everyone else should urgently think about putting this on the agenda. In the following, we will use two examples to show how sensible this implementation is.

13.02.2023|Last edited:13.02.2023

From the Swiss army knife for archives…

Your company has probably already had the requirement to create and unpack encrypted ZIP archives. Since this is not possible with the on-board tools of Windows, you quickly end up with tools such as 7z, WinZip or WinRAR, which you then roll out on all desktops. At the same time, you have suddenly brought support for a multitude of exotic archiving formats into your house through the back door.

Since you follow a blocklisting approach, you have certainly blocked the new and possibly unwanted formats for your company in the content filter. Right? RAR archives, for example, are very popular with spammers. Have you then also put them on the block list? And what about “.r23” or “.r42“, which can also be opened with the new tools. Or did you have ARJ and ARC on your radar? With an allowlisting approach, you don’t even have to try to catch all these new formats in the content filter again, because you have already automatically banned everything that is not allowed.

… to Microsoft OneNote notebooks including QakBot

In mid-January, there was a strong recommendation on Twitter to add “.one” to its blocklist. Most companies with Windows have certainly rolled out Microsoft OneNote on all desktops:

QakBot OneNote Filter

Source: Twitter

Since January 31, 2023, QakBot has become increasingly active again and has not only renounced HTML smuggling, but has also jumped on the bandwagon with Microsoft OneNote notebooks. This format is currently being used by various threat actors to distribute malicious code via email. Customers with an allowlisting approach have most likely not noticed this at all.

As usual, these QakBot emails are highly effective in their social engineering effect as email reply chain attacks, since the fake reply including OneNote notebook takes place as a reaction to a real communication and the alleged communication partner is usually also very well known.

QakBot E-Mail File Insight

With a simple ‘string’ you can still recognise the social engineering trick in the first OneNote notebooks, with which users are asked to execute the embedded “attachment.hta”. For detection of the sample, see VirusTotal. With QakBot the alarm bells should ring for increased attention at the latest.

Content filter for handling direct OneNote attachments

The content filter in NoSpamProxy can be used to filter OneNote attachments easily.

Email Block OneNote Attachments

Select “General binary file” as the file type and restrict the file name to the pattern “*.one”.

In the actions, they then ideally select the option to reject the entire email. Alternatively, the OneNote attachments can be moved to the NoSpamProxy Web Portal or removed from the email.

Recommendations for the switch to an allowlisting approach

As part of a change management process, you can use NoSpamProxy Disclaimer, for example, to inform your partners and customers in advance about the upcoming changes in content filtering. Some NoSpamProxy customers already inform about the allowed attachment formats on their website under “Imprint/Contact” . This is a good way to document something like this for new partners and customers. Then they do not have to learn what is allowed and what is not in a trial-and-error process.

Outlook

Spammers will probably discover other file formats for sending malicious code this year – especially since Microsoft has been slowly putting a stop to Office macros since last year.

However, in order to finally move away from a reactive approach in this game and finally bring some proactivity into one’s own actions, one should consider an allowlisting approach in an intelligent attachment management.

You would like to protect yourself from QuakBot and are not yet using NoSpamProxy?

With NoSpamProxy you can reliably protect your company against cyber attacks. Request your free trial version now!

Get your free NoSpamProxy trial now!
  • share 
  • share 
  • tweet 
  • email 

SEARCH

PRODUCT

  • All Topics
  • NoSpamProxy Cloud
  • NoSpamProxy Protection
  • NoSpamProxy Encryption
  • NospamProxy Large Files

Knowledge Base

Knowledge Base

Note: The information in this knowledge base is only relevant for NoSpamProxy up to version 13.2. All information for NoSpamProxy 14 and higher can be found in the online documentation.

CATEGORY

  • All Topics
  • News
  • Product
  • Tech & Support
  • Events
Subscribeto RSS Feed

NoSpamProxy

  • NoSpamProxy Cloud
  • NoSpamProxy Encryption
  • NoSpamProxy Large Files
  • NoSpamProxy Disclaimer
  • Price request
  • Team
  • Career
  • General terms and conditions
  • Data Protection Information for Business Partners and Applicants
  • Cybersecurity (PSIRT)

Partners

  • Becoming a reseller
  • Partners
  • Order Certificates
  • Newsletter

Categories

  • All topics
  • News
  • Support
  • Updates
  • Order certificates

Latest News

  • Info IconCritical Outlook vulnerability: No threat to NoSpamProxy customers24.03.2023 - 15:09
  • Default filter settings in NoSpamProxy 1422.03.2023 - 10:00
  • NoSpamProxy UpdateGlobal Rollout NoSpamProxy Version 14.0.515.03.2023 - 15:20
IMPRINT • EULA • Privacy Policy • © 2023 Net at Work GmbH
  • Rss
  • LinkedIn
  • Youtube
  • Twitter
  • Instagram
NoSpamProxy Cloud January 2023 UpdateInfo IconImportant announcement about Cyren services in NoSpamProxy Protection
Scroll to top