Microsoft has shared more information on what malicious embedded files OneNote will soon block to defend users against ongoing phishing attacks pushing malware.
The company first revealed that OneNote will get enhanced security in a Microsoft 365 roadmap entry published three weeks ago, on March 10, following recent and ongoing waves of phishing attacks pushing malware.
Threat actors have been using OneNote documents in spear phishing campaigns since mid-December 2022 after Microsoft patched a MoTW bypass zero-day exploited to drop malware via ISO and ZIP files and finally disabled Word and Excel macros by default.
Threat actors create malicious Microsoft OneNote documents by embedding dangerous files and scripts and then hiding them with design elements, as shown below.
File types considered dangerous
Today, the company shared more details regarding what specific file extensions will be blocked once the new OneNote security improvements roll out.
Microsoft says it will align the files considered dangerous and blocked in OneNote with those blocked by Outlook, Word, Excel, and PowerPoint.
The complete list includes 120 extensions according to this Microsoft 365 support document:
.ade, .adp, .app, .application, .appref-ms, .asp, .aspx, .asx, .bas, .bat, .bgi, .cab, .cer, .chm, .cmd, .cnt, .com, .cpl, .crt, .csh, .der, .diagcab, .exe, .fxp, .gadget, .grp, .hlp, .hpj, .hta, .htc, .inf, .ins, .iso, .isp, .its, .jar, .jnlp, .js, .jse, .ksh, .lnk, .mad, .maf, .mag, .mam, .maq, .mar, .mas, .mat, .mau, .mav, .maw, .mcf, .mda, .mdb, .mde, .mdt, .mdw, .mdz, .msc, .msh, .msh1, .msh2, .mshxml, .msh1xml, .msh2xml, .msi, .msp, .mst, .msu, .ops, .osd, .pcd, .pif, .pl, .plg, .prf, .prg, .printerexport, .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .psd1, .psdm1, .pst, .py, .pyc, .pyo, .pyw, .pyz, .pyzw, .reg, .scf, .scr, .sct, .shb, .shs, .theme, .tmp, .url, .vb, .vbe, .vbp, .vbs, .vhd, .vhdx, .vsmacros, .vsw, .webpnp, .website, .ws, .wsc, .wsf, .wsh, .xbap, .xll, .xnk
While previously, OneNote warned users that opening attachments could harm their data but still allowed them to open the embedded files tagged as dangerous, after the security improvement rolls out, users will no longer have the choice to open files with dangerous extensions.
Users will be shown a warning dialog when a file gets blocked, saying, "Your administrator has blocked your ability to open this file type in OneNote."
Microsoft says the change will begin rolling out in Version 2304 in Current Channel (Preview) to OneNote for Microsoft 365 on Windows devices between late April 2023 and late May 2023.
The security improvement will also be available in retail versions of Office 2021, Office 2019, and Office 2016 (Current Channel) but not in volume-licensed versions of Office, like Office Standard 2019 or Office LTSC Professional Plus 2021.
However, it will not be available in OneNote on the web, OneNote for Windows 10, OneNote on a Mac, or OneNote on Android or iOS devices.
| Update channel | Version | Release date |
| Current Channel (Preview) | Version 2304 | First half of April 2023 |
| Current Channel | Version 2304 | Second half of April 2023 |
| Monthly Enterprise Channel | Version 2304 | June 13, 2023 |
| Semi-Annual Enterprise Channel (Preview) | Version 2308 | September 12, 2023 |
| Semi-Annual Enterprise Channel | Version 2308 | January 9, 2024 |
Managing blocked extensions
To block additional file extensions you might consider dangerous, activate the 'Block additional file extensions for OLE embedding' policy under User Configuration\Policies\Administrative Templates\Microsoft Office 2016\Security Settings and select the extensions you want to be blocked.
On the other hand, if you need to allow specific file extensions that will soon be blocked by default, you can toggle on the 'Allow file extensions for OLE embedding' policy from the same location in the Group Policy Management Console and specify which extensions you wish to allow.
You can also use the Cloud Policy service for Microsoft 365 to tailor the policies to your preferences. All changes you make will also affect other applications, including Word, Excel, and PowerPoint.
These policies are only available for Microsoft 365 Apps for enterprise users, as they aren't available in Microsoft Apps for Business.
Microsoft Office group policies can also be used to restrict the launching of OneNote embedded file attachments until the new security improvements roll out.
Comments
NoneRain - 1 year ago
Nice. Appreciate sharing the list of extensions. Gonna add some to the gpo I don't have blocked yet.
Shplad - 1 year ago
Huh? How are .ISO files dangerous? Is there some precedent for declaring all these file endings risky? I ask because in my experience, Defender likes to mark all kinds of things risky which aren't.
Anyone?
serghei - 1 year ago
I got you Shplad:
https://www.bleepingcomputer.com/news/security/as-microsoft-blocks-office-macros-hackers-find-new-attack-vectors/
https://www.bleepingcomputer.com/news/security/vmware-microsoft-warn-of-widespread-chromeloader-malware-attacks/
https://www.bleepingcomputer.com/news/security/hackers-behind-icedid-malware-attacks-diversify-delivery-tactics/
Mahhn - 1 year ago
To bad they keep band aiding and not addressing the real issue, that files should not run other executables. It's the OS design/permissions that needs fixed.
Mahhn - 1 year ago
I solved this issue when we spotted that first malicious onenote file months ago, all emails with .one extension are auto deleted pre-endpoint. Just another MS expected fail.
sawtoothpaer - 1 year ago
I did the exact same thing on our endpoint.