February 2023


Cyber threats of the past 30 days as seen by Gatewatcher’s CTI analysts
269 294

Indicateurs de compromission (IOCs) identifiés

100 779

Rapports de compromission identifiés (regroupement d’IoCs)


After the default blocking of macros on the Office suite and the correction of vulnerabilities on archives and disk images that led to the defusing of Mark-of-the-Web, threat actors are now forced to turn to new infection techniques. It is in this context that we can observe, in the last two months, an increasing number of actors turning to Microsoft OneNote files.

OneNote is a note-taking program developed by Microsoft. Free and included in both the Office 2019 suite and Microsoft 365, OneNote is found in the majority of Windows users, whether or not they are users of the software. In addition to its pervasiveness, it is the ability, extended with each update, of OneNotes to be attached any other type of file (PE, LNK, HTML, VBS script…) that has finally attracted the attention of threat actors.

The process starts with a phishing email containing a OneNote as an attachment. Once the attachment is downloaded and opened, the content of the file prompts the victim to click on a designated location in the document. A warning window opens to inform the user that they are about to open a file attached to the document. Finally, once the warning is ignored, the malicious payload is executed. Regarding the malicious payload, in current campaigns involving OneNote files, the following malware can be found: Qbot, AsyncRat and RemcosRat.

Considering the above-mentioned characteristics, which are related to the tool’s capabilities, its availability to Windows users and its apparent harmlessness in the eyes of users, it is possible to believe that OneNote files will be a long-term trend in terms of pre-infection.


common vulnerabilities u0026 exposures [CVE]


malware families


Hunting is a technique used in cybersecurity to anticipate, detect and respond to cyber threats. This includes proactively looking for indicators of compromise (IOCs) and other elements that may indicate malicious activity. This approach is also an integral part of Cyber Threat Intelligence to collect and use information about current and potential threats. The main objective of hunting is to discover developing attacks before they damage systems and enable a rapid response to limit the consequences. It is an important part of the overall cybersecurity strategy for enterprises and governments, as it enables threats to be detected earlier and neutralized more effectively.

Hunting is a continuous process that adapts to new threats and attack techniques to maintain a high level of system protection. Threat hunters use a combination of analysis techniques, such as log analysis, network analysis, threat analysis and OSINT to detect signs of intrusion or infrastructure related to malicious activity.


targeted business sectors


threats categories


Malware, zero-day vulnerabilities, advanced persistent threats, industries and sectors particularly targeted, weak signals of emerging attacks…It’s no secret that knowledge of one’s adversary is a key factor for the security of an enterprise. The Cyber Threats Barometer gives you a monthly overview of the cyber threats detected in the previous month by Gatewatcher CTI , our Cyber Threat Intelligence platform.

Gatewatcher CTI’s automated collection, analysis and correlation engines are continuously fed by more than three thousand data sources from multiple channels: social networks, specialized sites, dark and deep web. They make threat information available an average of 24 hours in advance of the competition and help operational response teams make better decisions by dramatically reducing their analysis and incident treatment times.