Meeting Invite Phishing Campaign Using OneNote Attachment

Employees received spear-phishing emails containing a OneNote attachment that executed a hidden script to download a payload from an external URL and created persistence via a RunOnce registry key; observed indicators include the sender (board.notice@meeting-docscenter.com), attachment (Agenda_Review.one), and the download URL (http://84.32.190.44/data/fetch).