The seemingly innocuous Microsoft OneNote file has become a popular file format used by hackers to spread malware and breach corporate networks. Here’s how to block malicious OneNote phishing attachments from infecting Windows.
To give a little background on how we got to Microsoft OneNote files becoming the tool of choice for malware-distributing phishing attacks, we first need to explain how we got here.
Threat actors have been abusing macros in Microsoft Word and Excel documents for years to download and install malware on Windows devices.
After Microsoft finally disabled macros by default in Word and Excel Office documents, threat actors began turning to other less commonly used file formats to distribute malware, such as ISO files and password-protected ZIP archives.
These were popular file formats as a Windows bug allowed files in ISO images to bypass Mark-of-the-Web (MoTW) security warnings, and the popular 7-Zip archive utility did not propagate MoTW flags to files extracted from ZIP archives.
However, after both 7-Zip and Windows fixed these bugs, Windows once again began displaying scary security warnings when a user attempted to open files in downloaded ISO and ZIP files, causing threat actors to find another file format to use in attacks.
Since mid-December, threat actors have turned to another file format for distributing malware – Microsoft OneNote attachments.
Why Microsoft OneNote?
Microsoft OneNote attachments use the ‘.one‘ file extension and are an interesting choice, as they do not distribute malware through macros or vulnerabilities.
Instead, threat actors create intricate templates that appear to be a protected document with a message to ‘double-click’ a design element to view the file, as shown below.
What you do not see from the above attachment, though, is that the ‘Double Click to View File’ is actually hiding a series of embedded files that sit underneath the button layer.
When double-clicking on the button, you are double-clicking on the embedded file and causing the file to launch.
While double-clicking an embedded file will display a security warning, as we know from previous phishing attacks abusing Microsoft Office macros, users commonly ignore warnings and allow the file to run anyway.
Sadly, you just need one user to accidentally allow a malicious file to run for an entire corporate network to be compromised in a full blown ransomware attack.
And this is not theoretical, as in some Microsoft OneNote QakBot campaigns, security researchers have found that they ultimately led to a ransomware attack, such as BlackBasta, on a compromised network.
How to block malicious Microsoft OneNote files
The best way to prevent malicious Microsoft OneNote attachments from infecting Windows is to block the ‘.one‘ file extension at your secure mail gateways or mail servers.
However, if that is not possible for your environment, you can also use Microsoft Office group policies to restrict the launching of embedded file attachments in Microsoft OneNote files.
First, install the Microsoft 365/Microsoft Office group policy templates to get started with Microsoft OneNote policies.
Now that the policies are installed, you will find new Microsoft OneNote policies named ‘Disable embedded files’ and ‘Embedded Files Blocked Extensions,’ as shown below.
The ‘Disable embedded files‘ group policy is the most restrictive as it prevents all embedded OneNote files from being launched. You should enable this option if you have no use case for using embedded OneNote attachments.
“To disable the ability to embed files on a OneNote page, so people cannot transmit files that might not be caught by anti-virus software, etc,” reads the group policy description.
When enabled, the following Windows Registry key will be created. Note that the paths may differ depending on your Microsoft Office version.
Now, when a user attempts to open any attachments embedded in a Microsoft OneNote document, they will receive the following error.
A less restrictive option, but potentially more unsafe, is the ‘Embedded Files Blocked Extensions‘ group policy, which allows you to input a list of embedded file extensions that will be blocked from opening in a Microsoft OneNote document.
“To disable the ability of the users in your organization from being able to open a file attachment of a specific file type from a Microsoft OneNote page, add the extensions you want to disable using this format: ‘.ext1;.ext2;’,” reads the policy description.
“f you want to disable the opening of any attachment from a OneNote page, see the Disable embedded files policy. You cannot block embedded audio and video recordings (WMA & WMV) with this policy instead refer to the Disable embedded files policy.”
When enabled, the following Windows Registry key will be created with the list of blocked extensions you entered.
Now, when a user attempts to open a blocked file extension in a Microsoft OneNote document, they will receive the following error.
Some suggested file extensions to block are .js, .exe, .com, .cmd, .scr, .ps1, .vbs, and .lnk. However, as threat actors discover new file extensions to abuse, this list may be bypassed by other malicious file types.
While blocking any file type is not always a perfect solution due to an environment’s requirements, the results of not doing anything to restrict the abuse of Microsoft OneNote files can be even worse.
Therefore, it is strongly advised to block OneNote attachments, or at least the abuse of embedded file types, in your environment to prevent a cyberattack.