What is a OneNote email attack?

A OneNote email attack is a type of business email compromise where attackers use malicious OneNote file attachments or OneNote-themed lures to infiltrate corporate email. In documented cases, attackers gained access, silently monitored email threads for weeks, then registered lookalike domains to send fraudulent invoices that matched ongoing conversations.

How do attackers use lookalike domains in BEC fraud?

Attackers register domains that differ by one or two characters from the target company, such as swapping "rn" for "m" or adding a hyphen. After monitoring legitimate email chains, they inject themselves into invoice conversations using these near-identical domains. Recipients often miss the difference because the context, formatting, and timing all match real correspondence.

OneNote Email Attack

Trace a real BEC scam built on weeks of inbox surveillance.

What You'll Learn in OneNote Email Attack

Identify the characteristics of a monitored BEC attack where criminals surveil email threads before acting
Detect lookalike domains by examining sender addresses character by character against known contacts
Apply out-of-band verification procedures to confirm payment changes through a separate communication channel
Recognize how attackers use real project details and invoice amounts to build credibility in fraudulent requests
Explain why email-only confirmation is insufficient for any financial transaction change, regardless of how legitimate the request appears

OneNote Email Attack Training Steps

Introduction: Waiting for Critical Contract Documents

You are Alice Martinez, a Senior Account Manager at TechCorp Solutions. For two months, you've been working with Bob Chen, CEO of DataFlow Analytics, on a $500,000 annual contract renewal. Bob promised to send signed contract documents this week, but they haven't arrived yet. Your legal team and manager have been asking for these documents daily - the deal can't close without Bob's signature. It's Friday afternoon, 4:45 PM. You check your email one last time before the weekend, hoping Bob finally sent the contracts.
The Long-Awaited Email Arrives

A new message from Bob Chen appears at the top of your inbox! Subject: 'Signed Contract Documents - Final Version.' After weeks of waiting, Bob has finally sent the documents. You can finalize the deal over the weekend and announce the contract renewal Monday. There's a link to a OneNote file - Bob's company often shares documents via OneDrive, so this seems normal.
Opening the Contract Link

You don't hesitate. The email looks completely legitimate - it's from Bob's DataFlow Analytics address, mentions the board approval delay he told you about, and the subject matches exactly what you've been expecting. You click the link. Your browser opens to what appears to be a OneDrive page with a OneNote document preview. The page looks exactly like Microsoft's interface - same branding, colors, and layout. There's a document preview showing a contract with signatures and corporate letterhead.
The Sign-In Request

The page displays a Microsoft sign-in form. This is normal - you often authenticate when accessing documents shared by external partners. The page has proper Microsoft branding and looks exactly like the authentication page you see dozens of times per week when external clients share files.
Entering Your Credentials

The login form appears with familiar Microsoft styling. You've authenticated on shared OneDrive links hundreds of times before. You type in your work email and password without hesitation - you need these contracts for the legal team Monday morning. It's 4:50 PM Friday and you want to review the documents over the weekend.
Something Goes Wrong

After entering credentials, the page shows a loading spinner, then displays 'Connection timed out.' You try accessing your company email - suddenly you're asked to sign in again. 'Invalid credentials.' Your stomach drops. You try OneDrive - same problem. You're locked out. The horrifying truth hits you: that wasn't the real OneDrive. It was a sophisticated fake page designed to steal credentials. You just gave attackers your work email, password, and access to your company's entire Microsoft 365 system. They immediately logged into your real account and changed your password, locking you out.
Emergency: Calling IT Security

You immediately call the IT Security hotline. After several rings, you leave an urgent voicemail explaining you've been phished and are locked out. Your hands shake as you wait. The attackers have access to sensitive client information, financial data, and internal documents. Two minutes later, your desk phone rings - IT Security is calling back.
The Security Team Response

The IT Security team is calling back to help lock down your account and assess the damage. They need to act quickly to minimize the breach.
The Damage Assessment: Six Critical Minutes

Within two minutes, security forced a password reset and kicked the attackers out. But the damage is done. Compromised data includes signed contracts with pricing, financial projections, client PII, proprietary technical docs, and private negotiations. This data could be sold to competitors, leaked publicly, or used for further attacks.
Reporting the Phishing Email

With the crisis contained, report the malicious email. The 'Report Phishing' feature helps security analyze headers, block sender domains, identify other targeted employees, and share threat intelligence.

What You'll Learn in OneNote Email Attack

OneNote Email Attack Training Steps

Introduction: Waiting for Critical Contract Documents

The Long-Awaited Email Arrives

Opening the Contract Link

The Sign-In Request

Entering Your Credentials

Something Goes Wrong

Emergency: Calling IT Security

The Security Team Response

The Damage Assessment: Six Critical Minutes

Reporting the Phishing Email