Microsoft on Friday announced that it would be adding improved protection against phishing attacks that deliver malware via malicious Microsoft OneNote files.
“We add enhanced protection when users open or download an embedded file in OneNote. Users will receive a notification when the files deem dangerous to improve the file protection experience in OneNote on Windows,”
the company wrote in a new Microsoft 365 roadmap entry titled “Microsoft OneNote: improved protection against known high-risk phishing file types”.
The change implemented by Microsoft is expected to reach general availability before the end of April 2023.
Table Of Contents
What Is OneNote?
Microsoft OneNote is a digital note-taking app that is included in the Microsoft Office suite. It gathers users’ notes, drawings, screen clippings, and audio commentaries, and notes can also be shared with other OneNote users over the Internet or a network.
It provides a single place for keeping all of your notes, research, plans, and information — everything you need to remember and manage in your life at home, at work, or at school.
Why Microsoft One Was Exploited For Delivering Malware
For years, threat actors have been delivering malware by hiding macros in emailed Microsoft Office documents, such as Word and Excel. However, last year, Microsoft tightened security around macros by blocking VBA macros from running by default in Office files acquired from the internet.
This did not deter threat actors from finding new ways to sneak in malware. This time they found another file format – Microsoft OneNote attachments – for spreading malware, as they do not distribute malware through macros or vulnerabilities.
Over the last couple of months, there has been an increase in the number of attacks abusing Microsoft OneNote documents with ‘.one’ file extensions for delivery of malware such as AsyncRAT, AgentTesla, DoubleBack, NetWire RAT, Redline, Quasar RAT, and XWorm.
These documents are generally posed as protected documents such as invoices, remittances, or shipping, with a message to ‘double-click’ a graphic button to view the file. Usually, the OneNote docs contain embedded files, often hidden behind a graphic button.
In the event, the user double-clicks on the button, it actually double-clicks on the embedded file causing it to launch, and quietly starts implementing the malicious payload in the background.
Users generally ignore Microsoft’s security warnings while double-clicking on an embedded file, which can potentially put the entire corporate network at risk, and in turn be affected with information-stealing malware, or, a full-blown ransomware attack in worst cases.
Prevention Measures
Although Microsoft has announced enhanced OneNote protection, users too can take preventive measures to stop malicious Microsoft OneNote attachments from infecting Windows.
Users can set up secure mail gateways or mail servers to automatically block the ‘.one‘ file extension (via BleepingComputer).
Additionally, Windows admins can use Microsoft Office group policies to restrict the embedded file attachments in Microsoft OneNote files from launching.
In order to do this, you need to install the Microsoft 365/Microsoft Office group policy templates to get started with Microsoft OneNote policies. Once the policies are installed, you need to the ‘Disable embedded files’ and ‘Embedded Files Blocked Extensions’ in Microsoft OneNote policies.