[German]Microsoft is reacting to the fact that OneNote is now being abused as a malware sling for systems. The application is supposed to block 120 dangerous file types in the future, so that they can no longer be abused for malware attacks by downloads from the Internet.
Advertising
OneNote as a security risk
Since Microsoft and administrators of Windows systems have been investing more in macro security, attacks via this vector have become more difficult. Meanwhile, cybercriminals are using OneNote as a gateway to launch attacks or spread malware. Bleeping Computer colleagues had already pointed out in January 2023 that hackers are making use of Microsoft OneNote attachments to spread malware (see Hackers now use Microsoft OneNote attachments to spread malware). The basis for this warning is a blog post by SpiderLabs, which in December 2022 had come across Trojans that were included in OneNote files with the .one extension as email attachments.
If the user opens this attachment, it opens in OneNote. If the user clicks away a warning that a file is being opened from OneNote, a Windows Script file script embedded in the .one file can be executed. This is then capable of causing further mischief. Specifically, the Emotet Trojan is increasingly being spread via this vector (see my German blog post Emotet ist im März 2023 zurück, Verbreitung der Malware über OneNote-Anhänge).
In mid-March 2023, I had pointed this out in the post Improved Office macro security leads to new attack methods via OneNote and other filetypes and linked to the post How to prevent Microsoft OneNote files from infecting Windows with malware by Bleeping Computer. There were hints how to mitigate the attack vector. The group policies to secure OneNote can be found in the Microsoft 365/Microsoft Office group policy templates. The required policies are described in Bleeping Computer's post.
Microsoft plans further protection measures
I haven't followed the topic in detail, but I came across the following tweet from the colleagues at Bleeping Computer. The message of the post Microsoft OneNote will block 120 dangerous file extensions is that Microsoft wants to block 120 dangerous file types in OneNote in the future.
Advertising
In an entry in the Microsoft 365 roadmap dated March 10, 2023, the company first announced that OneNote would receive improved security. The document OneNote blocks embedded files that have dangerous extensions, dated March 28, 2023, now lists the details of the upcoming change. What will change as a result? Previously, there was a warning in OneNote when users tried to open files with MotW flags (i.e. Internet downloads). The user could still open the file. In the future, once the update is armed, the warning will say "Your administrator has blocked this file type from being opened in OneNote."
A Microsoft 365 support document lists 120 file types that should be blocked from loading in OneNote, Outlook, Word, Excel and PowerPoin as Internet downloads, i.e. with Mark of the Web flag (MotW). However, in the Microsoft 365 support document there are hints on how to share such files safely (e.g. upload to OneDrive or SharePoint with sending a link).
In addition, the article OneNote blocks embedded files that have dangerous extensions rovides hints on how to block further file name extensions. A separate section is also dedicated to the question of how to allow the file extensions that are blocked by default.
When it is rolled out?
Microsoft plans to roll out the change between late April 2023 and late May 2023 in version 2304 in the Current Channel (Preview) for OneNote for Microsoft 365 on Windows devices. The Microsoft 365 roadmap said "Rollout starts in April 2023", more details can be found in the Microsoft document Versions of OneNote affected by this change. The colleagues at Bleeping Computer have compiled all the details here.
This new security feature is also said to be coming to retail versions of Microsoft Office 2016 (Current Channel), 2019 and 2021. Not provided is this new security feature in the volume license versions of Office, such as Office Standard 2019 or Office LTSC Professional Plus 2021. The new feature is also not coming to OneNote for Web, OneNote for Windows 10, OneNote for Mac, and OneNote on Android or iOS devices.
Similar articles:
Improved Office macro security leads to new attack methods via OneNote and other filetypes
Emotet ist im März 2023 zurück, Verbreitung der Malware über OneNote-Anhänge
