Microsoft has announced plans to block embedded files with “dangerous extensions” in OneNote following reports that the note-taking service is increasingly being abused for malware delivery. Currently, users are shown a dialog warning that opening such attachments could harm their computer and data, but it is possible to dismiss the prompt and open the files.
Going forward, Microsoft said it intends to prevent users from directly opening an embedded file with a dangerous extension and display the message: “Your administrator has blocked your ability to open this file type in OneNote.”
The update is expected to start rolling out later this month with Version 2304.
The list of 120 extensions to be blocked includes .exe, .js, .jse, .vb, .vbe, .vbs and .wsf. Users who opt to still open the embedded file can do so by first saving the file locally to their device and then opening it from there. The development comes as Microsoft’s decision to block macros by default in Office files downloaded from the internet spurred threat actors to switch to OneNote attachments to deliver malware via phishing attacks.
According to cybersecurity firm Trellix, the number of malicious OneNote samples has been gradually increasing since December 2022, before ramping up in February 2023. By default, OneNote blocks the same extensions that Outlook, Word, Excel, and PowerPoint do.
If extensions are added to this allow list, they can make OneNote and other applications, such as Word and Excel, less secure.
The update only impacts OneNote for Microsoft 365 on devices running Windows. It does not affect other platforms, including macOS, Android, and iOS, as well as OneNote versions available on the web and for Windows 10.
