Zero-Trust Detections: How Askedam Protects Customers from the New OneNote Campaign

ASKEDAM | Zero-Trust Detections: How Askedam Protects Customers from the New OneNote Campaign

In the last couple weeks, we have observed a new threat actor attack method to abuse the Microsoft OneNote application by weaponizing documents with embedded malicious code. Qakbot threat actors are massively distributing a malicious spam email with “.ONE” (OneNote document) files. We have also observed that IcedID and Bumblebee threat actor have also switched to malicious OneNote lures.

Askedam provides comprehensive visibility and protection across all attack vectors, with fully automated response workflows throughout the entire environment, all backed by a 24/7 MDR service.

Askedam’s endpoint protection platform (EPP) detects and prevents different threats, covering different tactics, techniques, and procedures (TTPs).

Askedam’s Orion Threat Research Team combats threat actors with two layers of detections, enabling Askedam EPP to protect our customers from the most well-known threats and Zero-Day attacks. The first is Cyber Threat Intelligence (CTI), which detects and prevents different threat actors and TTPs. The second is Zero-Trust logic.

The Zero-Trust logic is based on deep research of the OS operation and different trusted applications. By practicing “Know Good, Detect Evil”, we can detect the newest attacks in the wild.

The main difference between CTI logic and Zero-Trust logic is that CTI forbids certain activities, whereas Zero-Trust allows legitimate activities. Accordingly, any other activities will be unauthorized.

Threat actor groups rapidly change their TTPs to avoid and bypass security vendors. In the last year, we have noticed such adaptations in reaction to updates by Microsoft, for example, after the company announced, “We’re changing the default behavior of Office applications to block macros in files from the internet”. According to BleepingComputer, “A free unofficial patch has been released through the patch platform to address an actively exploiting zero-day flaw in the Windows Mark of the Web (MotW) security mechanism.”

Top initial attack methods used by threat actors:

  • Weaponized Office Documents (Word, Excel, PowerPoint) with VBA or XLM macro version 4.0
  • HTML Smuggling files luring (Obfuscated Files or Information: HTML Smuggling T1027.006)
  • ISO, IMG, and VHD file images (Subvert Trust Controls: Mark-of-the-Web Bypass T1553.005)

Top malware deployed by threat actors:

  • Emotet
    • Details: “New Wave of Emotet – When Project X Turns Into Y“
  • Qakbot
    • Details: “Orion Threat Alert: Qakbot TTPs Arsenal and the Black Basta Ransomware“
  • IcedID (A.K.A BokBot)
    • Details: “Shelob Moonlight – Spinning a Larger Web“
  • Bumblebee
    • Details: “Orion Threat Alert: Flight of the BumbleBee“
  • Ursnif (A.K.A Gozi)
    • Details: “The Ursnif Trojan: An Attack Overview and Zoom-In on New Variant“