{"id":29273,"date":"2023-04-05T13:11:15","date_gmt":"2023-04-05T11:11:15","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=29273"},"modified":"2023-04-05T13:11:38","modified_gmt":"2023-04-05T11:11:38","slug":"ms-onenote-will-block-120-dangerous-file-types-in-future","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2023\/04\/05\/ms-onenote-will-block-120-dangerous-file-types-in-future\/","title":{"rendered":"MS OneNote will block 120 dangerous file types in future"},"content":{"rendered":"

[German<\/a>]Microsoft is reacting to the fact that OneNote is now being abused as a malware sling for systems. The application is supposed to block 120 dangerous file types in the future, so that they can no longer be abused for malware attacks by downloads from the Internet.<\/p>\n

<\/p>\n

OneNote as a security risk<\/h2>\n

\"\"Since Microsoft and administrators of Windows systems have been investing more in macro security, attacks via this vector have become more difficult. Meanwhile, cybercriminals are using OneNote as a gateway to launch attacks or spread malware. Bleeping Computer colleagues had already pointed out in January 2023 that hackers are making use of Microsoft OneNote attachments to spread malware (see Hackers now use Microsoft OneNote attachments to spread malware<\/a>). The basis for this warning is a blog post<\/a> by SpiderLabs, which in December 2022 had come across Trojans that were included in OneNote files with the .one extension as email attachments.<\/p>\n

If the user opens this attachment, it opens in OneNote. If the user clicks away a warning that a file is being opened from OneNote, a Windows Script file script embedded in the .one file can be executed. This is then capable of causing further mischief. Specifically, the Emotet Trojan is increasingly being spread via this vector (see my German blog post Emotet ist im M\u00e4rz 2023 zur\u00fcck, Verbreitung der Malware \u00fcber OneNote-Anh\u00e4nge<\/a>).<\/p>\n

In mid-March 2023, I had pointed this out in the post Improved Office macro security leads to new attack methods via OneNote and other filetypes<\/a> and linked to the post How to prevent Microsoft OneNote files from infecting Windows with malware<\/a> by Bleeping Computer. There were hints how to mitigate the attack vector. The group policies to secure OneNote can be found in the Microsoft 365\/Microsoft Office group policy templates<\/a>. The required policies are described in Bleeping Computer's post.<\/p>\n

Microsoft plans further protection measures<\/h2>\n

I haven't followed the topic in detail, but I came across the following tweet<\/a> from the colleagues at Bleeping Computer. The message of the post Microsoft OneNote will block 120 dangerous file extensions<\/a> is that Microsoft wants to block 120 dangerous file types in OneNote in the future.<\/p>\n

<\/a><\/p>\n

In an entry in the Microsoft 365 roadmap<\/a> dated March 10, 2023, the company first announced that OneNote would receive improved security. The document OneNote blocks embedded files that have dangerous extensions<\/a>, dated March 28, 2023, now lists the details of the upcoming change. What will change as a result? Previously, there was a warning in OneNote when users tried to open files with MotW flags (i.e. Internet downloads). The user could still open the file. In the future, once the update is armed, the warning will say \"Your administrator has blocked this file type from being opened in OneNote.\"<\/p>\n

\"OneNote<\/p>\n

A Microsoft 365 support document<\/a> lists 120 file types that should be blocked from loading in OneNote, Outlook, Word, Excel and PowerPoin as Internet downloads, i.e. with Mark of the Web flag (MotW). However, in the Microsoft 365 support document there are hints on how to share such files safely (e.g. upload to OneDrive or SharePoint with sending a link).<\/p>\n

In addition, the article OneNote blocks embedded files that have dangerous extensions<\/a> rovides hints on how to block further file name extensions. A separate section<\/a> is also dedicated to the question of how to allow the file extensions that are blocked by default.<\/p>\n

When it is rolled out?<\/h2>\n

Microsoft plans to roll out the change between late April 2023 and late May 2023 in version 2304 in the Current Channel (Preview) for OneNote for Microsoft 365 on Windows devices. The Microsoft 365 roadmap<\/a> said \"Rollout starts in April 2023\", more details can be found in the Microsoft document Versions of OneNote affected by this change<\/a>. The colleagues at Bleeping Computer have compiled all the details here<\/a>.<\/p>\n

This new security feature is also said to be coming to retail versions of Microsoft Office 2016 (Current Channel), 2019 and 2021. Not provided is this new security feature in the volume license versions of Office, such as Office Standard 2019 or Office LTSC Professional Plus 2021. The new feature is also not coming to OneNote for Web, OneNote for Windows 10, OneNote for Mac, and OneNote on Android or iOS devices.<\/p>\n

Similar articles:<\/strong>
\nImproved Office macro security leads to new attack methods via OneNote and other filetypes<\/a>
\nEmotet ist im M\u00e4rz 2023 zur\u00fcck, Verbreitung der Malware \u00fcber OneNote-Anh\u00e4nge<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

[German]Microsoft is reacting to the fact that OneNote is now being abused as a malware sling for systems. The application is supposed to block 120 dangerous file types in the future, so that they can no longer be abused for … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,580],"tags":[874,69],"class_list":["post-29273","post","type-post","status-publish","format-standard","hentry","category-office","category-security","tag-onenote","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/29273","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=29273"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/29273\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=29273"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=29273"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=29273"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}