See how Research Team Lead Carlos Perez dissects a sample of a OneNote document that was used to deploy ASyncRAT, an open-source remote admin tool, to enable phishing attacks. You’ll find out how these OneNote files are now being used by threat actors and where to find the location that ASyncRAT is being downloaded and executed.

The detection for this attack is included in the TrustedSec Sysmon Configuration and will allow you to monitor and block actions taken with this technique.
https://github.com/trustedsec/defensive-scripts/blob/main/onenote_asyncrat_dropper.xml