Hackers Disguise Malicious Login Pages as Microsoft OneNote to Steal Corporate Credentials

A sophisticated phishing campaign has been targeting businesses since 2022, using fake Microsoft OneNote login prompts to harvest Office 365 and Outlook credentials from unsuspecting users. What makes this threat particularly dangerous is how it exploits legitimate cloud platforms and familiar collaboration tools to bypass traditional security measures.

The Nature of the OneNote Login Prompt Attack

This ongoing phishing campaign leverages fake Microsoft OneNote login prompts to harvest Office 365 and Outlook credentials from unsuspecting users, representing a sophisticated evolution in credential theft tactics.

Key characteristics of this attack include:

• Initial contact through seemingly legitimate emails with subject lines like “New Document Shared with you” or “New Audio Note Received”
• Redirection to fake OneNote documents that appear to be shared collaborative content
• Active operation since January 2022, primarily targeting Italian and U.S. organizations
• Abuse of legitimate cloud services including Notion workspaces, Glitch domains, Google Docs, and RenderForest services
• Strategic use of trusted hosting platforms to bypass traditional security detection systems
• Focus on harvesting business-critical Microsoft 365 and associated email service credentials

Severity Assessment: High-Risk Credential Theft Operation

This threat carries a high severity rating due to its persistent nature, sophisticated approach, and direct targeting of business-critical systems.

The severity factors that make this particularly dangerous include:

• Direct targeting of business-critical Microsoft 365 services that organizations rely on for daily operations
• Demonstrated persistence and adaptability over three years of continuous operation
• Use of legitimate hosting platforms that significantly reduces detection rates by traditional security systems
• Multiple authentication targets including Office 365, Outlook, Rackspace, Aruba Mail, and PEC systems
• Specific focus on small and medium-sized businesses that often lack advanced security controls
• Seamless post-attack redirection that prevents victims from realizing they’ve been compromised
• Integration with Telegram infrastructure for reliable data exfiltration and command control

How the Attack Works

The attack chain follows a methodical approach designed to maximize success rates through social engineering and technical deception.

The step-by-step attack process includes:

• Initial Contact: Victims receive phishing emails appearing to come from colleagues or business contacts with urgent subject lines about shared documents or audio messages
• Malicious Redirection: Email links redirect users to fake login pages hosted on legitimate cloud platforms like Google Docs, Notion, or Glitch
• Interface Deception: Malicious pages carefully mimic authentic Microsoft OneNote authentication prompts with familiar branding and user interface elements
• Credential Harvesting: When victims enter login information, the phishing script captures credentials plus the victim’s IP address using services like ipify.org
• Data Exfiltration: Stolen data is transmitted through Telegram Bot API with bot tokens and chat IDs hardcoded into malicious JavaScript
• Seamless Redirect: After data theft, users are redirected to genuine Microsoft login pages to maintain the illusion of legitimacy
• Delayed Detection: The seamless redirect prevents victims from realizing compromise has occurred until potentially weeks later

The Threat Actors Behind the Operation

Security researchers indicate that the threat actors behind this campaign prioritize simplicity and scalability over sophisticated evasion techniques, yet have maintained remarkably effective operations for over three years.

Characteristics of the threat actors include:

• Low Technical Sophistication: Operators appear to lack advanced technical skills, favoring simple and reliable methods over complex evasion techniques
• Business-Minded Approach: Focus on cost-effectiveness and accessibility using free or low-cost cloud services rather than expensive custom infrastructure
• Operational Evolution: Transitioned from simple form submissions to standardized Telegram bot-based exfiltration by February 2022
• Minimal Obfuscation: Use basic concealment methods rather than advanced anti-detection measures
• Sustainable Model: Reliance on off-the-shelf command-and-control infrastructure through Telegram bots reduces operational overhead
• Proven Persistence: Consistent activity over three years demonstrates commitment to long-term credential harvesting operations
• Adaptable Tactics: Continuous refinement of visual themes and attack vectors while maintaining core technical approach

Organizations and Users at Risk

Small and medium-sized businesses represent the primary target demographic for this campaign, particularly those heavily dependent on Microsoft 365 services for daily operations.

High-risk organizations and scenarios include:

• SMB Microsoft 365 Users: Small and medium-sized businesses heavily dependent on Microsoft 365 for daily operations and collaboration
• Distributed Workforces: Organizations with remote or hybrid employees who regularly share documents through cloud platforms
• Document-Heavy Industries: Educational institutions, manufacturing companies, and professional services firms previously targeted in campaign waves
• Limited Security Resources: Businesses without dedicated IT security teams or advanced threat detection capabilities
• Cloud Collaboration Environments: Any organization where employees routinely access shared files from various platforms without strict verification protocols
• High-Trust Environments: Companies with workplace cultures that emphasize quick collaboration and document sharing without extensive security questioning

Remediation and Prevention Strategies

Effective defense against this threat requires a multi-layered approach combining technical controls with comprehensive user education to address both the technical and human elements of the attack.

Critical defense measures include:

• Multi-Factor Authentication: Implement MFA on all Microsoft 365 accounts and critical business systems to prevent account compromise even when credentials are stolen
• Advanced Email Security: Deploy email security solutions capable of analyzing links in real-time and detecting redirects to suspicious domains
• User Awareness Training: Educate employees about specific campaign tactics, emphasizing that legitimate Microsoft notifications always direct to official Microsoft domains
• Sender Verification Protocols: Establish procedures for employees to verify sender authenticity through alternative communication channels when receiving unexpected sharing requests
• Network Monitoring: Monitor for suspicious authentication patterns, unusual login attempts, and communications with known Telegram bot APIs from corporate endpoints
• Incident Response Planning: Develop rapid response procedures for potential credential compromise incidents, including immediate password resets and account auditing
• Security Assessment: Regularly evaluate authentication and access control systems to identify and address potential vulnerabilities

 How CinchOps Can Help

Professional cybersecurity services can provide the comprehensive protection needed to defend against sophisticated phishing campaigns like the OneNote login prompt attack, offering expertise and tools that many businesses lack internally.

Managed security services typically include:

• Advanced Email Security Filtering: Analyze link destinations and detect suspicious redirects, even when hosted on legitimate platforms
• Multi-Factor Authentication Deployment: Comprehensive implementation and management across all business-critical systems
• Real-Time Security Monitoring: Identify unusual authentication patterns and potential credential compromise attempts
• Targeted Security Awareness Training: Employee education specifically tailored to current threat tactics, including hands-on phishing simulation exercises
• Incident Response Services: Quickly contain and remediate credential theft incidents to minimize business impact
• Security Assessment Services: Identify vulnerabilities in your current authentication and access control systems
• Ongoing Threat Intelligence: Keep your defenses updated against emerging attack vectors and evolving criminal tactics

Organizations that lack internal cybersecurity expertise can benefit significantly from partnering with managed security service providers who specialize in defending against evolving threats like credential harvesting campaigns, ensuring comprehensive protection without the overhead of building and maintaining internal security teams.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: CinchOps Asks Houston Businesses: What if an Employee Falls for a Phishing Email?
For Additional Information on this topic: Hackers Mimic OneNote Login to Steal Office365 & Outlook Credentials

FREE CYBERSECURITY ASSESSMENT