0ddj0bb · @0ddj0bb
858 followers · 604 posts · Server infosec.exchange
0ddj0bb · @0ddj0bb
858 followers · 604 posts · Server infosec.exchange

At 12:15pm est today you can see my analysis of the Campaign using to deliver on

youtu.be/v1MtTHS-I24

#qaknote #onenote #qakbot #Glassof0J #infosec #hacking #cybercrime #ioc #ioa

Last updated 2 years ago

Zak · @Zak_Sec
19 followers · 22 posts · Server infosec.exchange

Reading through the Sophos Blog on gave some opportunity for some practice:

EmailAttachmentInfo
| join EmailEvents on NetworkMessageId
| where FileName matches regex @'(?:ApplicationReject_)\d{5}.\w{5}.(?:.one)' or
FileName matches regex @'(?:ComplaintCopy_)\d{5}.\w{5}.(?:.one)'

Happy Hunting ~

news.sophos.com/en-us/2023/02/

#qaknote #regex

Last updated 2 years ago

Sophos X-Ops · @SophosXOps
1349 followers · 131 posts · Server infosec.exchange

Our coverage of this campaign includes a breakdown of the attack chain, IOCs, and some other curious details. People unfamiliar with OneNote as a weaponized document format should get used to this; are probably here to stay. 6/6

news.sophos.com/en-us/2023/02/

#onenote #maldoc #malware #qaknote #maldocs

Last updated 2 years ago

@SophosXOps
Our coverage of this campaign includes a breakdown of the attack chain, IOCs, and some other curious details -- such as the fact that the embedded graphic elements were originally added to the document using filenames in the Russian language. "Curious," that.

People unfamiliar with OneNote as a weaponized document format should get used to this; are probably here to stay -- at least, until mail server admins decide to block all inbound .one attachments. 6/6

news.sophos.com/en-us/qakbot-o

#malware #qaknote #maldocs

Last updated 2 years ago