Microsoft OneNote to get enhanced security after recent malware abuse

Microsoft will introduce improved protection against phishing attacks pushing malware via malicious Microsoft OneNote files.

In a new Microsoft 365 roadmap entry published today titled “Microsoft OneNote : improved protection against known high risk phishing file types,” the company revealed that this change would likely reach general availability sometime before the end of April 2023.

“We add enhanced protection when users open or download an embedded file in OneNote,” Redmond .

“Users will receive a notification when the files deem dangerous to improve the file protection experience in OneNote on Windows.”

This comes after a recent wave of phishing attacks where threat actors used maliciously crafted OneNote documents with ‘.one’ file extensions and embedded files hidden behind overlays asking the targets to click to view the document.

Double-clicking launches the embedded file, which might seem innocuous but can have severe consequences.

Sadly, even when receiving security warnings, users often ignore them and allow the file to run, potentially putting their entire corporate network at risk.

Hidden OneNote embedded files
Hidden OneNote embedded files (BleepingComputer)

‚ÄčThis is a lesson that everyone should’ve learned by now from previous phishing attacks that took advantage of Microsoft Office macros.

Unfortunately, it only takes one user to accidentally run a malicious file to infect themselves with information-stealing malware or, even worse, trigger a ransomware attack.

To thwart phishing attacks using malicious Microsoft OneNote attachments, you can set up secure mail gateways or mail servers to automatically block OneNote documents with .one extensions.

Windows admins can also use Microsoft Office group policies to prevent embedded OneNote files from launching.

To do that, you must install the and enable the ‘Disable embedded files’ and ‘Embedded Files Blocked Extensions’ Microsoft OneNote policies.

Microsoft OneNote group policies
Microsoft OneNote group policies (BleepingComputer)

Threat actors have been using OneNote documents in spear phishing campaigns since , as Trustwace also earlier this week.

Attackers have been spotted abusing OneNote files for various malicious purposes, including like .

The switch to OneNote came after Microsoft finally and used to deliver malware via ISO and ZIP files.