RedTeam With OneNote
Windows Initial Vector Series

OneNote is one of the Office suite components which is often overlooked when RedTeaming. Though OneNote cannot execute VBA Macros, it has an important potential for phishing as an initial vector.

Article published on 9 August 2022

by Emeric Nasi


License : Copyright Emeric Nasi (@EmericNasi), Lance James, some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
Creative Commons License

1. Foreword

OneNote is one of the Office suite components which is often overlooked when RedTeaming. Though OneNote cannot execute VBA Macros, it has an important potential for phishing as an initial vector.

In a nutshell, OneNote:

  • Is not affected by Protected View/ MOTW
  • Allows embedding Malicious Excel/Word/PPT files that will be played without protected view
  • Allows embedding HTA, LNK, EXE files and spoof extensions
  • Allows formatting document in a way user are tricked into opening a malicious file or a link
  • Can be automated using OneNote.Application and XML
  • Is supported by BallisKit MacroPack Pro tool

Note 1: There are several versions of OneNote. In this post we focus on the OneNote desktop App delivered with Office. That version used to be called “OneNote 2016” but since Office 2019 it has been called “OneNote”.
Note 2: Some examples in this document rely on the use of MacroPack Pro which is a commercial tool for RedTeams legal use only. Reading this post, you should be able to reproduce those examples manually even if you don’t have MacroPack Pro.

Let’s review how those work as well as the pros and cons of using a OneNote section as an initial RedTeam payload.

Please open the PDF below to read the full article.