Say it with me: The Malicious macro is dead! As Microsoft has shut the door on the use of macros by default, cybercriminals have had to evolve their tactics, finding ways to trick phishing victims into engaging with a dropper. One of the latest, and most ingenious, is the use of OneNote files as the attachment. Sure, no one in their right mind should believe that someone is going to send them a OneNote file in an email, but recent attack reports make it clear that users just aren’t paying attention, making OneNote just as viable a malicious dropper as any other attachment type.
But how powerful is this dropper compared to other attachment-based droppers, macros and the use of an actual scripting code (e.g., VB and Java)?
In this Real Training for Free session, 4-time Microsoft MVP Nick Cavalancia takes my seat as he first discusses:
- A brief history of droppers and previous methods used
- Why the shift to OneNote and what does it mean for the future?
- Mapping this part of the attack to the MITRE ATT&CK Framework
Next up, you’ll hear from Thomas Elkins, Detection & Response Analyst at RAPID7, who will discuss two cases of Qakbot’s recent use of OneNote within phishing emails, breaking down the DLL that is used at this phase of the attack. He will also point out practical indicators of compromise from this type of attack.
You’ll also hear from Ted Samuels, Lead Incident Response Consultant at RAPID7, who will walk a bit further into these attacks, discussing lateral movement techniques used by Black Basta affiliates, including AD Certificate Services certificate forging.
This Real Training for Free session is full of practical real-world educational content. Register now!