The hacker news reports* that Microsoft has announced plans to automatically block embedded files with “dangerous extensions” in OneNote following reports that the note-taking service is being increasingly abused for malware delivery.
Up until now, users were shown a dialog warning them that opening such attachments could harm their computer and data, but it was possible to dismiss the prompt and open the files.
That’s going to change going forward. Microsoft said it intends to prevent users from directly opening an embedded file with a dangerous extension and display the message: “Your administrator has blocked your ability to open this file type in OneNote.” The update is expected to start rolling out with Version 2304 later this month and only impacts OneNote for Microsoft 365 on devices running Windows. It does not affect other platforms, including macOS, Android, and iOS, as well as OneNote versions available on the web and for Windows 10.
Phishing attacks pushing malware have long been associated with Word documents but since the recent lock down on such an attack vector, bad actors have sidetracked to OneNote. Whilst Word which has commonly been associated with macro enabled malware over the years, it is likely that cybercriminals have tried to take advantage of the full Microsoft suite and taken aim with OneNote.
Hiding malicious activity inside the documents means victims are unaware even though the method remains largely the same. Blocking such activity is therefore far safer for users rather than offering a warning as users will often bypass any given warning thinking they know better.
As long as this new feature is set up correctly and managed, it will disallow any circumnavigation will help protect users from known file extensions associated with potential malware. However, the key to its success will be how quickly Microsoft are to adapt to threat actors’ next move.
*ESET does not bear any responsibility for the accuracy of this information.