Microsoft Enhances Security for OneNote Users by Blocking Dangerous File Extensions
Microsoft has announced an update to its popular note-taking application, OneNote, to improve security measures for users by automatically blocking embedded files with extensions that are considered dangerous. The change comes as a response to an increase in malicious campaigns exploiting OneNote’s ability to attach files that could be executed with limited warnings to users.
OneNote, which is part of the Microsoft Office suite, is commonly used by enterprise users for note taking, task management, and multi-user collaboration. Historically, users were notified that opening a OneNote attachment could be harmful, but they were given the option to dismiss the warning and proceed with opening the embedded file. This made OneNote a target for malware delivery by threat actors.
The issue became more pressing after security researchers warned last year that the Mark-of-the-Web (MOTW) protection was not being applied to OneNote documents and their attachments. Consequently, the abuse of OneNote in malicious campaigns surged.
Microsoft’s new security feature aims to make it more difficult for attackers to exploit OneNote for malware delivery. With the update, users will no longer be able to directly open embedded files with dangerous extensions. Instead, they will need to save the file to their device and open it from there, giving security applications running on the device an opportunity to detect any malicious code in the attachment.
The list of blocked extensions is consistent with those blocked by other Office applications, including Word, Excel, Outlook, and PowerPoint. However, Microsoft 365 administrators have the ability to set policies to block additional file types or to allow specific file types to be opened.
The change will only impact OneNote for Microsoft 365 on devices running Windows and is expected to roll out starting in April 2023, becpming visible to all users by January 2024. OneNote in retail versions of Office 2021, Office 2019, and Office 2016 will also be affected.
Microsoft has cautioned users about the risks of allowing certain file extensions, stating, “Malicious scripts and executables can cause harm if clicked by the user. If extensions are added to this allow list, they can make OneNote and other applications, such as Word and Excel, less secure.”
As Microsoft continues to prioritize user safety, this update provides an added layer of protection against cyber threats for OneNote users.
File types blocked in Word, Excel, Outlook, PowerPoint, and OneNote
| File name extension | File type |
|---|---|
| .ade | Access Project Extension (Microsoft) |
| .adp | Access Project (Microsoft) |
| .app | Executable Application |
| .application | ClickOnce Deployment Manifest File |
| .appref-ms | ClickOnce Application Reference File |
| .asp | Active Server Page |
| .aspx | Active Server Page Extended |
| .asx | ASF Redirector File |
| .bas | BASIC Source Code |
| .bat | Batch Processing |
| .bgi | Borland Graphics Interface |
| .cab | Windows Cabinet File |
| .cer | Internet Security Certificate File |
| .chm | Compiled HTML Help |
| .cmd | DOS CP/M Command File, Command File for Windows NT |
| .cnt | Microsoft Help Workshop Application |
| .com | Command |
| .cpl | Windows Control Panel Extension (Microsoft) |
| .crt | Certificate File |
| .csh | csh Script |
| .der | DER Encoded X509 Certificate File |
| .diagcab | Microsoft Diagnostics Cabinet File |
| .exe | Executable File |
| .fxp | FoxPro Compiled Source (Microsoft) |
| .gadget | Windows Vista Gadget |
| .grp | Microsoft Program Group |
| .hlp | Windows Help File |
| .hpj | AppWizard Help project |
| .hta | Hypertext Application |
| .htc | HTML Component File |
| .inf | Information or Setup File |
| .ins | IIS Internet Communications Settings (Microsoft) |
| .iso | Optical Disk Media File System |
| .isp | IIS Internet Service Provider Settings (Microsoft) |
| .its | Internet Document Set, Internet Translation |
| .jar | Java Archive |
| .jnlp | Java Network Launching Protocol |
| .js | JavaScript Source Code |
| .jse | JScript Encoded Script File |
| .ksh | UNIX Shell Script |
| .lnk | Windows Shortcut File |
| .mad | Access Module Shortcut (Microsoft) |
| .maf | Access (Microsoft) |
| .mag | Access Diagram Shortcut (Microsoft) |
| .mam | Access Macro Shortcut (Microsoft) |
| .maq | Access Query Shortcut (Microsoft) |
| .mar | Access Report Shortcut (Microsoft) |
| .mas | Access Stored Procedures (Microsoft) |
| .mat | Access Table Shortcut (Microsoft) |
| .mau | Media Attachment Unit |
| .mav | Access View Shortcut (Microsoft) |
| .maw | Access Data Access Page (Microsoft) |
| .mcf | Media Container Format |
| .mda | Access Add-in (Microsoft), MDA Access 2 Workgroup (Microsoft) |
| .mdb | Access Application (Microsoft), MDB Access Database (Microsoft) |
| .mde | Access MDE Database File (Microsoft) |
| .mdt | Access Add-in Data (Microsoft) |
| .mdw | Access Workgroup Information (Microsoft) |
| .mdz | Access Wizard Template (Microsoft) |
| .msc | Microsoft Management Console Snap-in Control File (Microsoft) |
| .msh | Microsoft Shell |
| .msh1 | Microsoft Shell |
| .msh2 | Microsoft Shell |
| .mshxml | Microsoft Shell |
| .msh1xml | Microsoft Shell |
| .msh2xml | Microsoft Shell |
| .msi | Windows Installer File (Microsoft) |
| .msp | Windows Installer Update |
| .mst | Windows SDK Setup Transform Script |
| .msu | Windows Update File |
| .ops | Office Profile Settings File |
| .osd | Open Software Description |
| .pcd | Visual Test (Microsoft) |
| .pif | Windows Program Information File (Microsoft) |
| .pl | Perl script |
| .plg | Developer Studio Build Log |
| .prf | Windows System File |
| .prg | Program File |
| .printerexport | Printer backup File |
| .ps1 | Windows PowerShell |
| .ps1xml | Windows PowerShell |
| .ps2 | Windows PowerShell |
| .ps2xml | Windows PowerShell |
| .psc1 | Windows PowerShell |
| .psc2 | Windows PowerShell |
| .psd1 | Windows PowerShell |
| .psdm1 | Windows PowerShell |
| .pst | MS Exchange Address Book File, Outlook Personal Folder File (Microsoft) |
| .py | Python Script |
| .pyc | Python Script |
| .pyo | Python Script |
| .pyw | Python Script |
| .pyz | Python Script |
| .pyzw | Python Script |
| .reg | Registration Information/Key for W95/98, Registry Data File |
| .scf | Windows Explorer Command |
| .scr | Windows Screen Saver |
| .sct | Windows Script Component, Foxpro Screen (Microsoft) |
| .shb | Windows Shortcut into a Document |
| .shs | Shell Scrap Object File |
| .theme | Desktop Theme File Settings |
| .tmp | Temporary File/Folder |
| .url | Internet Location |
| .vb | VBScript File or Any Visual Basic Source |
| .vbe | VBScript Encoded Script File |
| .vbp | Visual Basic Project File |
| .vbs | VBScript Script File, Visual Basic for Applications Script |
| .vhd | Virtual Hard Disk |
| .vhdx | Virtual Hard Disk Extended |
| .vsmacros | Visual Studio .NET Binary-based Macro Project (Microsoft) |
| .vsw | Visio Workspace File (Microsoft) |
| .webpnp | Internet Printing File |
| .website | Pinned Site Shortcut from Internet Explorer |
| .ws | Windows Script File |
| .wsc | Windows Script Component |
| .wsf | Windows Script File |
| .wsh | Windows Script Host Settings File |
| .xbap | Browser Applications |
| .xll | Excel Addin |
| .xnk | Exchange Public Folder Shortcut |
References
Microsoft Learn. (2023, March 29). OneNote blocks embedded files that have dangerous extensions – Deploy Office | Microsoft Learn. https://learn.microsoft.com/en-us/deployoffice/security/onenote-extension-block
SecurityWeek. (2023, April 3). Microsoft OneNote Starts Blocking Dangerous File Extensions – SecurityWeek. https://www.securityweek.com/microsoft-onenote-starts-blocking-dangerous-file-extensions/
