Sublime Security

Sublime Core Feed
OneNote
Learn More
Login to Sublime
Attack Types
BEC/Fraud
Callback Phishing
Credential Phishing
Extortion
Malware/Ransomware
Reconnaissance
Spam
Tactics and Techniques
Encryption
Evasion
Exploit
Free email provider
Free file host
Free subdomain host
HTML smuggling
Image as content
Impersonation: Brand
Impersonation: Employee
Impersonation: VIP
IPFS
ISO
LNK
Lookalike domain
Macros
OneNote
Open redirect
Out of band pivot
PDF
Punycode
QR code
Scripting
Social engineering
Spoofing
Detection Methods
Archive analysis
Content analysis
Computer Vision
Exif analysis
File analysis
Header analysis
HTML analysis
Javascript analysis
Macro analysis
Natural Language Understanding
Optical Character Recognition
OLE analysis
PDF analysis
QR code analysis
Sender analysis
Threat intelligence
URL analysis
URL screenshot
Whois
XML analysis
YARA
Tactic or Technique: OneNote
Attackers use OneNote files to hide malware or phishing links inside interactive elements like buttons, images, or text boxes. These files are often sent as attachments with subject lines about invoices, shipping updates, or other urgent business topics.
When opened, the page may look like a login screen or document preview and prompt you to click. That click can launch a PowerShell script, download malware, or redirect you to a phishing site.
This tactic works because OneNote files often bypass security filters that focus on more traditional attachments like Word or PDFs. Most tools don’t scan them as deeply, which gives attackers a way to evade detection and gain a foothold in your environment.