UNIT42 Abuse Microsoft One Note Files On The Rise
Query
// UNIT42 - Abuse Microsoft OneNote files on the rise
// https://www.linkedin.com/posts/activity-7199081015439495168-zjvc/
// Analyzing onenote files sent into your tenant as email attachment.
EmailAttachmentInfo
| where TimeGenerated > ago(90d)
| where FileType=="one;onenote"
| join EmailEvents on NetworkMessageId
// MITRE ATT&CK Mapping
// T1566.001 - Phishing: Spearphishing Attachment:
// This technique involves adversaries sending emails with malicious attachments to gain access to victim systems. Your query filters for specific file types in email attachments, which can be used to detect spearphishing attempts.
// T1071.003 - Application Layer Protocol: Mail Protocols:
// This technique involves using email protocols for command and control. By joining email events, your query can help identify suspicious email activities that might be part of a command and control operation.
// T1114.002 - Email Collection: Remote Email Collection:
// This technique involves adversaries collecting emails from remote servers. Your query can help detect unusual email attachment activities that might indicate email collection efforts.Explanation
This query is designed to analyze Microsoft OneNote files that have been sent as email attachments to your organization's email system over the past 90 days. It specifically looks for OneNote files by filtering attachments with the file type "one;onenote" and then joins this data with email event logs to provide more context.
The query is mapped to three MITRE ATT&CK techniques:
-
T1566.001 - Phishing: Spearphishing Attachment: The query helps identify potential spearphishing attempts by detecting emails with OneNote attachments, which could be used by attackers to deliver malicious content.
-
T1071.003 - Application Layer Protocol: Mail Protocols: By joining email events, the query aids in identifying suspicious email activities that might be part of a command and control operation using email protocols.
-
T1114.002 - Email Collection: Remote Email Collection: The query can also help detect unusual activities involving email attachments, which might indicate attempts to collect emails from remote servers.
Overall, this query is a tool for detecting and analyzing potentially malicious activities involving OneNote file attachments in emails.
