OneNote .one attachment → embedded payload → C2

§ Context

Assumed environment: target users routinely receive .one attachments (legit OneNote usage). Endpoints don't disable embedded files in OneNote (CVE-2024-30050 / GP mitigation).

§ Steps

1. 01
   Persistence + reconPersistence

   T1547— Boot or Logon Autostart Execution
2. 02
   Stager downloads beaconCommand and Control

   T1071— Application Layer Protocol
3. 03
   Email with .one attachmentInitial Access

   T1566— Phishing
4. 04
   Victim opens OneNoteExecution

   T1204— User Execution
5. 05
   Clicks the deceptive 'View document' buttonExecution

   PAY-ONENOTE— Malicious OneNote Attachment
6. 06
   Embedded HTA / VBS runsExecution

   PAY-HTA-VBS— HTA / VBS / WSF Execution

§ References

• T1547Boot or Logon Autostart Execution
• T1071Application Layer Protocol
• T1566Phishing
• T1204User Execution

§ Frequently asked

What is the "OneNote .one attachment → embedded payload → C2" attack path?

OneNote .one file with a friendly 'Double-click to view' overlay hides an embedded HTA / VBS / EXE. Effective initial access vector after Microsoft blocked internet macros in 2022. It chains 6 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Persistence + recon (T1547) — a persistence primitive. Assumed environment: target users routinely receive .

What is the final impact of this kill-chain?

The final step lands on Embedded HTA / VBS runs (PAY-HTA-VBS), which falls under Execution. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques3

  ISO container → LNK → stage from CDN → C2

  Email attaches an ISO. Windows mounts it as a drive, bypassing Mark-of-the-Web. LNK inside runs a hidden binary that pulls the real stager from a CDN — Defender often misses the chain.

• Shared techniques2

  Malicious MCP server → silent supply chain for agent tools

  User installs an MCP server marketed as a useful integration. Every subsequent agent session has the rogue server in scope — its tools log prompts, exfil files, or inject responses to bias the agent.

• Shared techniques2

  V8 type-confusion 1-day → renderer RCE

  Public V8 type-confusion turned into a renderer pop. JS triggers JIT into mis-compiling a polymorphic site, addrof/fakeobj primitives, shellcode in a WASM RWX page.

• Shared techniques2

  Header smuggling → gateway sees vendor, mailbox sees attacker

  Crafted RFC-edge headers cause SPF/DMARC to validate against one From while Outlook renders the other — slips past Microsoft Defender / Proofpoint and lands as a 'verified' message.

• Shared techniques2

  Compromised vendor mailbox → reply-chain phishing → client compromise

  Take over a vendor / partner mailbox via AITM phishing. Reply to an existing thread with a malicious link — trust transferred from the genuine prior conversation defeats most user training.

• Shared techniques2

  Rowhammer → bit flip → in-browser sandbox escape

  JavaScript hammers adjacent DRAM rows for tens of seconds; an unlucky-for-defender bit flip in a page-table entry hands the attacker a write primitive into another mapping. RIDL-class chain to native code.