Microsoft OneNote Security

To better protect users, Microsoft has published detailed information on the dangerous embedded files that OneNote will soon block.

“To help protect you and your recipients against computer viruses, Outlook blocks the sending and receiving of certain types of files (such as .exe and certain database files) as attachments,” Microsoft.

Threat actors embed dangerous files and scripts in malicious Microsoft OneNote documents, covering them with design elements.

Following recent and ongoing phishing attacks propagating malware, Microsoft initially disclosed that OneNote will have improved security in a Microsoft 365 roadmap article released recently last month.

As Microsoft patched a MoTW, bypassed zero-day exploit to spread malware via ISO and ZIP files, and finally disabled Word and Excel macros by default, threat actors began employing OneNote documents in spear phishing campaigns around the middle of December 2022.

Blocked File Types in Outlook

 According to Microsoft, the files considered dangerous and blocked in OneNote will be aligned with those blocked in Outlook, Word, Excel, and PowerPoint.

.ade, .adp, .app, .application, .appref-ms, .asp, .aspx, .asx, .bas, .bat, .bgi, .cab, .cer, .chm, .cmd, .cnt, .com, .cpl, .crt, .csh, .der, .diagcab, .exe, .fxp, .gadget, .grp, .hlp, .hpj, .hta, .htc, .inf, .ins, .iso, .isp, .its, .jar, .jnlp, .js, .jse, .ksh, .lnk, .mad, .maf, .mag, .mam, .maq, .mar, .mas, .mat, .mau, .mav, .maw, .mcf, .mda, .mdb, .mde, .mdt, .mdw, .mdz, .msc, .msh, .msh1, .msh2, .mshxml, .msh1xml, .msh2xml, .msi, .msp, .mst, .msu, .ops, .osd, .pcd, .pif, .pl, .plg, .prf, .prg, .printerexport, .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .psd1, .psdm1, .pst, .py, .pyc, .pyo, .pyw, .pyz, .pyzw, .reg, .scf, .scr, .sct, .shb, .shs, .theme, .tmp, .url, .vb, .vbe, .vbp, .vbs, .vhd, .vhdx, .vsmacros, .vsw, .webpnp, .website, .ws, .wsc, .wsf, .wsh, .xbap, .xll, .xnk

Users will no longer have the option to access files with harmful extensions after the security upgrade goes live. Before, OneNote informed users that accepting attachments could harm their data while allowing them to open the embedded files marked as risky.

When a file is restricted, users will see a notification that reads, “Your administrator has blocked your ability to open this file type in OneNote.”

Microsoft OneNote block warning

According to Microsoft, between late April and late May 2023, OneNote for Microsoft 365 on Windows devices will start to receive the modification in Version 2304 in Current Channel (Preview).

The security enhancement will not be included in volume-licensed versions of Office, such as Office Standard 2019 or Office LTSC Professional Plus 2021; it will be accessible in retail versions of Office 2021, Office 2019, and Office 2016 (Current Channel).

Nevertheless, it will not be available in OneNote on the web, OneNote for Windows 10, OneNote for Mac, or OneNote for Android or iOS devices.

Update channelVersionRelease date
Current Channel (Preview)Version 2304First half of April 2023
Current ChannelVersion 2304Second half of April 2023
Monthly Enterprise ChannelVersion 2304June 13, 2023
Semi-Annual Enterprise Channel (Preview)Version 2308September 12, 2023
Semi-Annual Enterprise ChannelVersion 2308January 9, 2024

To block additional file extensions you might consider unsafe, activate the ‘Block additional file extensions for OLE embedding’ policy under User Configuration\Policies\Administrative Templates\Microsoft Office 2016\Security Settings and select the extensions you want to be blocked.

Also, you can activate the “Allow file extensions for OLE embedding” policy from the same area in the Group Policy Management Console and specify which extensions you want to allow if you need to enable particular file extensions that will shortly be blocked by default.

Also, you can modify the policies to suit your needs using the Cloud Policy service for Microsoft 365. Any modification you make will also impact Word, Excel, and PowerPoint.

These policies aren’t available in Microsoft Apps for Business; hence they are only available to users of Microsoft 365 Apps for Enterprise.

Network Security Checklist – Download Free E-Book

Related Read:

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.