Malicious documents are dead, long live malicious

After almost three decades of Microsoft Office macro malware being used to infect computers and a decade of it being one of the most common types of malware being distributed, Microsoft has dealt a potentially fatal blow by having all macros from downloaded files being disabled by default. That means no more message that can be clicked to simply enable the macro. Macros are completely blocked and require a great deal of user intervention to re-enable.

However, as the saying goes, "nature abhors a vacuum," and threat actors have spent years honing their social engineering playbook around document malware. Add to this the out-of-the-box thinking required to succeed in this line of work and cybercriminal history of trying novel approaches to evade malware detection and we get weaponized OneNote files being used to distribute Qakbot, likely the first of many new approaches to document malware.