After allegations that the note-taking service is being increasingly misused for malware transmission, Microsoft has revealed steps to automatically remove embedded files with “dangerous extensions” in OneNote security.
Users were previously presented with a window warning them that opening specific attachments could damage their computer and data, but they could ignore it and access the files.
Future events will change that. According to Microsoft, the statement “Your administrator has prohibited your ability to open this file type in OneNote” will be displayed instead of the user being able to open an embedded file with a risky extension directly.
The upgrade primarily affects OneNote security for Microsoft 365 on Windows-based devices, and it is anticipated to begin rolling out with Version 2304 later this month. Other operating systems, such as macOS, Android, and iOS, as well as the web-based and Windows 10 versions of OneNote, are unaffected.
According to Microsoft, OneNote, by default, disables the same extensions that Word, Excel, Outlook, and PowerPoint disable. “If the user clicks on malicious scripts or executables, damage may result. If extensions are introduced to this list of permitted add-ons, OneNote and other programs like Word and Excel may become less secure.”
The list of 120 extensions in this act is as follows –
(.ade, .adp, .app, .application, .appref)
(-ms, .asp, .aspx, .asx, .bas, .bat, .bgi, .cab, .cer, .chm, .cmd, .cnt, .com, .cpl, .crt, .csh, .der, .diagcab, .exe, .fxp, .gadget, .grp, .hlp, .hpj, .hta, .htc, .inf, .ins, .iso, .isp, .its, .jar, .jnlp, .js, .jse, .ksh, .lnk, .mad, .maf, .mag, .mam, .maq, .mar, .mas, .mat, .mau, .mav, .maw, .mcf, .mda, .mdb, .mde, .mdt, .mdw, .mdz, .msc, .msh, .msh1, .msh2, .mshxml, .msh1xml, .msh2xml, .msi, .msp, .mst, .msu, .ops, .osd, .pcd, .pif, .pl, .plg, .prf, .prg, .printerexport, .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .psd1, .psdm1, .pst, .py, .pyc, .pyo, .pyw, .pyz, .pyzw, .reg, .scf, .scr, .sct, .shb, .shs, .theme, .tmp, .url, .vb, .vbe, .vbp, .vbs, .vhd, .vhdx, .vsmacros, .vsw, .webpnp, .website, .ws, .wsc, .wsf, .wsh, .xbap, .xll, and .xnk)
If users decide to open the embedded file anyhow, they can do so by first saving it locally to their device and then doing so.
The news comes as threat actors have switched to using OneNote attachments to spread malware via phishing assaults due to Microsoft’s decision to ban macros in Office files accessed from the internet by default.
Malicious OneNote samples have increased in number since December 2022, according to cybersecurity company Trellix, until peaking in February 2023.
Microsoft has provided more details on the harmful embedded files that OneNote will soon prevent to protect users from continuous phishing scams that spread malware. Following recent and ongoing waves of phishing attacks pushing malware, the company initially disclosed that OneNote will have improved security in a Microsoft 365 roadmap article released three weeks ago, on March 10.
Since mid-December 2022, when Microsoft patched a MoTW bypass zero-day exploit to spread malware via ISO and ZIP files, threat actors have been employing OneNote papers in spear phishing attacks. Threat actors develop malicious Microsoft OneNote documents by embedding risky scripts and files and concealing them with design features. This is because Word and Excel macros are now, by default, blocked.
Further information about which specific file extensions will be restricted once the new OneNote security enhancements go into effect was given by the firm today. According to Microsoft, the files deemed harmful and prohibited in OneNote will align with those blocked in Outlook, Word, Excel, and PowerPoint. Users will no longer have access to files with harmful extensions after the security upgrade goes live. Before, OneNote informed users that accepting attachments could harm their data while allowing them to open the embedded files marked as risky.