Microsoft has announced plans to automatically block embedded files with “dangerous extensions” in OneNote after reports that note-taking services are being increasingly abused to deliver malware.
In the past, users were presented with a dialog warning them that opening such attachments could harm their computer and data, but they were able to dismiss the prompt and open the file.
That will change from now on. Microsoft intends to prevent users from directly opening embedded files with dangerous extensions and display the message “Your administrator has blocked this file type from being opened in his OneNote.” It says it does.
This update will begin rolling out later this month with version 2304 and will only affect OneNote for Microsoft 365 on devices running Windows. It does not affect other platforms such as macOS, Android, iOS, and OneNote versions available on the web and Windows 10.
“By default, OneNote blocks the same extensions as Outlook, Word, Excel, and PowerPoint,” Microsoft said. “Malicious scripts and executables can cause harm when clicked on by the user. When extensions are added to this allow list, OneNote and other applications such as Word and Excel become less secure.” It may go down.”
Here is the list of 120 extensions:
.ade, .adp, .app, .application, .appref-ms, .asp, .aspx, .asx, .bas, .bat, .bgi, .cab, .cer, .chm, .cmd, .cnt, .com, .cpl, .crt, .csh, .der, .diagcab, .exe, .fxp, .gadget, .grp, .hlp, .hpj, .hta, .htc, .inf, .ins, .iso , .isp, .its, .jar, .jnlp, .js, .jse, .ksh, .lnk, .mad, .maf, .mag, .mam, .maq, .mar, .mas, .mat, . mau, .mav, .maw, .mcf, .mda, .mdb, .mde, .mdt, .mdw, .mdz, .msc, .msh, .msh1, .msh2, .mshxml, .msh1xml, .msh2xml, .msi, .msp, .mst, .msu, .ops, .osd, .pcd, .pif, .pl, .plg, .prf, .prg, .printerexport, .ps1, .ps1xml, .ps2, .ps2xml , .psc1, .psc2, .psd1, .psdm1, .pst, .py, .pyc, .pyo, .pyw, .pyz, .pyzw, .reg, .scf, .scr, .sct, .shb, . shs, .theme, .tmp, .url, .vb, .vbe, .vbp, .vbs, .vhd, .vhdx, .vsmacros, .vsw, .webpnp, .website, .ws, .wsc, .wsf, .wsh, .xbap, .xll, and .xnk
Become an Incident Response Pro!
Unlocking the Secrets of Bulletproof Incident Response – Master the 6-step process with Asaf Perlman, IR Lead at Cynet!
Don’t miss it – secure your seat!
Users who choose to open an embedded file can first save the file locally on their device and then open it from there.
This development is due to Microsoft’s decision to block macros in Office files downloaded from the internet by default, prompting threat actors to switch to OneNote attachments to deliver malware via phishing attacks.
According to cybersecurity firm Trellix, the number of malicious OneNote samples gradually increased from December 2022, and then increased in February 2023.
