Extreme TLDR: Attackers exploit Microsoft OneNote for phishing using embedded payloads, primarily through images and buttons that execute malicious scripts or binaries. Analysis of 6,000 samples shows various payload types like JavaScript, VBScript, and EXE files are used, with a trend towards smaller file sizes for stealth. Organizations are advised to block dangerous extensions and monitor embedded objects in OneNote files to mitigate risks.