Microsoft OneNote will block 120 dangerous file extensions

Microsoft has shared more information on what malicious embedded files OneNote will soon block to defend users against ongoing phishing attacks pushing malware.

The company first revealed that OneNote will get enhanced security in a Microsoft 365 roadmap entry published three weeks ago, on March 10, following recent and ongoing phishing attacks pushing malware.

Threat actors have been using OneNote documents in spear phishing campaigns since mid-December 2022 after Microsoft patched a MoTW bypass zero-day exploited to drop malware via ISO and ZIP files and finally disabled Word and Excel macros by default.

Threat actors create malicious Microsoft OneNote documents by embedding dangerous files and scripts and then hiding them with design elements, as shown below.

OneNote phishing document hiding embedded files
OneNote phishing document hiding embedded files (BleepingComputer)

File types considered dangerous

Today, the company shared more details regarding what specific file extensions will be blocked once the new OneNote security improvements rollout.

Microsoft says it will align the files considered dangerous and blocked in OneNote with those blocked by Outlook, Word, Excel, and PowerPoint.

The complete list includes 120 extensions according to this Microsoft 365 support document:

.ade, .adp, .app, .application, .appref-ms, .asp, .aspx, .asx, .bas, .bat, .bgi, .cab, .cer, .chm, .cmd, .cnt, .com, .cpl, .crt, .csh, .der, .diagcab, .exe, .fxp, .gadget, .grp, .hlp, .hpj, .hta, .htc, .inf, .ins, .iso, .isp, .its, .jar, .jnlp, .js, .jse, .ksh, .lnk, .mad, .maf, .mag, .mam, .maq, .mar, .mas, .mat, .mau, .mav, .maw, .mcf, .mda, .mdb, .mde, .mdt, .mdw, .mdz, .msc, .msh, .msh1, .msh2, .mshxml, .msh1xml, .msh2xml, .msi, .msp, .mst, .msu, .ops, .osd, .pcd, .pif, .pl, .plg, .prf, .prg, .printerexport, .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .psd1, .psdm1, .pst, .py, .pyc, .pyo, .pyw, .pyz, .pyzw, .reg, .scf, .scr, .sct, .shb, .shs, .theme, .tmp, .url, .vb, .vbe, .vbp, .vbs, .vhd, .vhdx, .vsmacros, .vsw, .webpnp, .website, .ws, .wsc, .wsf, .wsh, .xbap, .xll, .xnk

While previously, OneNote warned users that opening attachments could harm their data but still allowed them to open the embedded files tagged as dangerous, users will no longer have the choice to open files with dangerous extensions after the security improvement rolls out.

Users will be shown a warning dialog when a file gets blocked: “Your administrator has blocked your ability to open this file type in OneNote.”

Microsoft OneNote block warningOneNote warning (Microsoft)

Microsoft says the change will begin in Version 2304 in Current Channel (Preview) to OneNote for Microsoft 365 on Windows devices between late April 2023 and late May 2023.

The security improvement will also be available in retail versions of Office 2021, Office 2019, and Office 2016 (Current Channel) but not in volume-licensed versions of Office, like Office Standard 2019 or Office LTSC Professional Plus 2021.

However, it will not be available in OneNote on the web, OneNote for Windows 10, OneNote on a Mac, or OneNote on Android or iOS devices.

Update channel Version Release date
Current Channel (Preview) Version 2304 First half of April 2023
Current Channel Version 2304 Second half of April 2023
Monthly Enterprise Channel Version 2304 June 13, 2023
Semi-Annual Enterprise Channel (Preview) Version 2308 September 12, 2023
Semi-Annual Enterprise Channel Version 2308 January 9, 2024

Managing blocked extensions

To block additional file extensions you might consider dangerous, activate the ‘Block additional file extensions for OLE embedding’ policy under User Configuration\Policies\Administrative Templates\Microsoft Office 2016\Security Settings and select the extensions you want to be blocked.

On the other hand, if you need to allow specific file extensions that will soon be blocked by default, you can toggle on the ‘Allow file extensions for OLE embedding’ policy from the same location in the Group Policy Management Console and specify which extensions you wish to allow.

You can also use the Cloud Policy service for Microsoft 365 to tailor the policies to your preferences. All changes you make will also affect other applications, including Word, Excel, and PowerPoint.

These policies are only available for Microsoft 365 Apps for enterprise users, as they aren’t available in Microsoft Apps for Business.

Microsoft Office group policies can also be used to restrict the launching of OneNote embedded file attachments until the new security improvements rollout.

Source: BleepingComputer