PAY-ONENOTEExecution

Malicious OneNote Attachment

OneNote .one files allow embedded executables behind 'Double-click to view' graphics — a popular post-macro initial access vector.

§ Where this technique fits

PAY-ONENOTE is catalogued under the Execution tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 3 on average.

§ Dossiers chaining this technique

OneNote .one attachment → embedded payload → C2
OneNote .one file with a friendly 'Double-click to view' overlay hides an embedded HTA / VBS / EXE. Effective initial access vector after Microsoft blocked internet macros in 2022.
step 3 / 6

§ What commonly comes next

01
HTA / VBS / WSF Execution
PAY-HTA-VBS · Execution
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

OneNote .one attachment → embedded payload → C2

§ What commonly comes next