You are currently viewing Tales from the SOC: OneNote MalSpam – Detection & response

Tales from the SOC: OneNote MalSpam – Detection & response

This weblog was co-written with Kristen Perreault – Skilled Cybersecurity and James Rodriguez – Sr. Specialist Cybersecurity.

Govt abstract

Since December twenty second, 2022, there was a rise in malware despatched through Phishing emails through a OneNote attachment. As with most phishing emails, the top consumer would open the OneNote attachment however in contrast to Microsoft Phrase or Microsoft Excel, OneNote doesn’t help macros. That is how risk actors beforehand launched scripts to put in malware.

Minimal documentation has been made in direction of the techniques, methods, and procedures (TTP’s) noticed in these assaults. A few of the TTP’s noticed included executions of Powershell.exe utilization and Curl.exe as soon as a hidden course of was ran. As soon as the hidden executable was clicked on, a connection was made to an exterior website to try to put in and execute malware. As soon as executed the attacker will unload extra malicious recordsdata and achieve inside info from inside the group. On this case, malicious recordsdata had been detected and mitigated by SentinelOne.


Preliminary Alarm Evaluation

Indicators of Compromise (IOC)

The preliminary alarm got here in for malware being detected by SentinelOne which was a .One file kind. The file sourced from Outlook indicated this was seemingly a phishing electronic mail. Shortly after receiving the preliminary alarm, the MES SOC Risk Hunters (SECTOR Staff) had been alerted by a buyer experiencing this exercise and started their deep dive. Upon getting into the file hash obtained from the SentinelOne occasion, no discernible info concerning the file’s function was uncovered. This prompted SECTOR to make the most of Deep Visibility to realize additional perception into the method and function of the detected file.

Deep Visibility is a characteristic inside SentinelOne that gives complete perception into the actions and behaviors of threats inside a community surroundings. This characteristic permits safety groups, resembling SECTOR, to analyze and reply to threats by offering larger perception in processes, community connections, and file actions. It’s an extremely highly effective software in SentinelOne and is usually used throughout the Incident Response course of.

Deep Visibility Sentinel One redacted

Expanded investigation

Occasions Search

A search string was created for Deep Visibility which included the file title and related file hashes. An occasion in SentinelOne was discovered that included a Curl.exe course of with the exterior area minaato[.]com. When reviewing the area additional, it was decided that this was a file sharing web site and extra malicious indicators had been uncovered. Analyzing the DNS request to minaato[.]com, confirmed occasions with the supply course of mshta.exe with the goal course of curl.exe, and the dad or mum technique of onenote.exe. This chain of processes had been the heuristic (behavioral) attributes that prompted SentinelOne to fireplace off an alert. Using these TTP and former supply processes, a brand new question was generated to seek out any potential file populating the identical exercise. This led SECTOR to detect one other file below Cancellation[.]one.

Occasion Deep Dive

SECTOR started their occasion deep dive with an preliminary IOC based mostly search question that included the file title and the area that generated outbound community connections.

Pivoting off of the outcomes from the preliminary IOC based mostly search question, SECTOR created a secondary search question that included a number of file names, domains, and hashes that had been discovered. These IOCs had not been beforehand found within the wild however as soon as they had been discovered, SECTOR supplied them to the AT&T AlienLabs crew for added detection engines, correlation guidelines, and OTX (AT&T Open Risk Trade Platform) pulse updates.

After gathering all of the IOCs, a 3rd heuristic-based search question was created. This new question aimed to seek out any remaining occasions associated to the malware that SentinelOne may not have alerted on, because it primarily focuses on execution-based actions relatively than behavior-based ones. This demonstrates the significance of utilizing risk searching at the side of SentinelOne’s Deep Visibility characteristic for enhanced safety.

SECTOR working

Within the closing stage of the occasion search, SECTOR created a closing heuristic search question that detected any outreach to a site with the identical behavioral attributes noticed on this surroundings. Though the outcomes contained false positives, they had been in a position to sift by and discover an occasion the place the “ping.exe” command efficiently communicated with the malicious area, “minaato[.]com”. On this case, SentinelOne didn’t alert on this exercise as a result of it being a typical course of execution.

heuristic query


Constructing the Investigation

After gathering all obligatory info and occasion findings, SECTOR was in a position to pull the malicious OneNote file and detonate it inside their sandbox surroundings. They had been then in a position to see that after the file was opened, the malicious hyperlink was hidden below an overlayed inventory Microsoft picture that requested the consumer to click on open. This then introduced the consumer to the malicious area, minaato[.]com.

SECTOR supplied all information gathered from this risk hunt to the affected prospects and fellow CyberSecurity Groups inside AT&T for situational consciousness.

Buyer interplay

The affected prospects got remediation steps based mostly on the precise exercise they skilled with this malware. A few of them had been efficiently compromised, whereas others had been in a position to keep away from any execution or downloads in affiliation with the malware itself. These remediation steps included eradicating all recordsdata from the affected gadgets, resetting all consumer passwords for greatest practices, scanning belongings to make sure no additional unauthorized or malicious exercise was occurring within the background, globally blocking all IOC’s, and implementing block guidelines on their firewalls.


IOC Kind


File Title

File Title

File Hash (MD5)


File Hash (SHA1)


File Hash (SHA1)


File Hash (SHA1)


File Hash (SHA256)


Area Title


Area Title


Area Title


Area Title


Leave a Reply