In this attack, the email was crafted to look like a settlement document that was being shared by an external party. The email asked the recipient to review the attached document and respond with any questions before a check is mailed. The attachment, named paysliponenote[.]one, was actually a malicious OneNote document that would have infected the recipient’s computer with malware had it been opened. The email was sent from an email address hosted on a domain registered by the attacker shortly before the attack.

Status Bar Dots
OneNote Malware Email

How Does This Attack Bypass Email Defenses?

IOCs associated with the attachment, such as file hash, had not been previously detected as malicious, allowing it to bypass traditional tools that rely on known bad indicators. The domain hosting the attacker’s email address was valid and had not been previously flagged as being used for malicious purposes.

How Can This Attack Be Detected?

The file extension of the attachment (.ONE) has become a more popular method for threat actors to deliver malicious payloads. The domain used by the attacker to send the email was registered shortly before the email was sent, indicating its potential use for malicious purposes.

What are the Risks of This Attack?

If the target clicks on the link in the email, malware would be downloaded to their computer. Once the malware is installed, attackers would be able to perform a variety of nefarious actions, including escalating it into a ransomware attack.

Analysis Overview




Malware Delivery


Maliciously Registered Domain


Fake Document

Impersonated Party

External Party - Other

See How Abnormal Stops Emerging Attacks

See a Demo