Microsoft Enhances Security for OneNote Users by Blocking Dangerous File Extensions

Microsoft has announced an update to its popular note-taking application, OneNote, to improve security measures for users by automatically blocking embedded files with extensions that are considered dangerous. The change comes as a response to an increase in malicious campaigns exploiting OneNote’s ability to attach files that could be executed with limited warnings to users.

Logo from

OneNote, which is part of the Microsoft Office suite, is commonly used by enterprise users for note taking, task management, and multi-user collaboration. Historically, users were notified that opening a OneNote attachment could be harmful, but they were given the option to dismiss the warning and proceed with opening the embedded file. This made OneNote a target for malware delivery by threat actors.

The issue became more pressing after security researchers warned last year that the Mark-of-the-Web (MOTW) protection was not being applied to OneNote documents and their attachments. Consequently, the abuse of OneNote in malicious campaigns surged.

Microsoft’s new security feature aims to make it more difficult for attackers to exploit OneNote for malware delivery. With the update, users will no longer be able to directly open embedded files with dangerous extensions. Instead, they will need to save the file to their device and open it from there, giving security applications running on the device an opportunity to detect any malicious code in the attachment.

The list of blocked extensions is consistent with those blocked by other Office applications, including Word, Excel, Outlook, and PowerPoint. However, Microsoft 365 administrators have the ability to set policies to block additional file types or to allow specific file types to be opened.

The change will only impact OneNote for Microsoft 365 on devices running Windows and is expected to roll out starting in April 2023, becpming visible to all users by January 2024. OneNote in retail versions of Office 2021, Office 2019, and Office 2016 will also be affected.

Microsoft has cautioned users about the risks of allowing certain file extensions, stating, “Malicious scripts and executables can cause harm if clicked by the user. If extensions are added to this allow list, they can make OneNote and other applications, such as Word and Excel, less secure.”

As Microsoft continues to prioritize user safety, this update provides an added layer of protection against cyber threats for OneNote users.

File types blocked in Word, Excel, Outlook, PowerPoint, and OneNote

File name extensionFile type
.adeAccess Project Extension (Microsoft)
.adpAccess Project (Microsoft)
.appExecutable Application
.applicationClickOnce Deployment Manifest File
.appref-msClickOnce Application Reference File
.aspActive Server Page
.aspxActive Server Page Extended
.asxASF Redirector File
.basBASIC Source Code
.batBatch Processing
.bgiBorland Graphics Interface
.cabWindows Cabinet File
.cerInternet Security Certificate File
.chmCompiled HTML Help
.cmdDOS CP/M Command File, Command File for Windows NT
.cntMicrosoft Help Workshop Application
.cplWindows Control Panel Extension (Microsoft)
.crtCertificate File
.cshcsh Script
.derDER Encoded X509 Certificate File
.diagcabMicrosoft Diagnostics Cabinet File
.exeExecutable File
.fxpFoxPro Compiled Source (Microsoft)
.gadgetWindows Vista Gadget
.grpMicrosoft Program Group
.hlpWindows Help File
.hpjAppWizard Help project
.htaHypertext Application
.htcHTML Component File
.infInformation or Setup File
.insIIS Internet Communications Settings (Microsoft)
.isoOptical Disk Media File System
.ispIIS Internet Service Provider Settings (Microsoft)
.itsInternet Document Set, Internet Translation
.jarJava Archive
.jnlpJava Network Launching Protocol
.jsJavaScript Source Code
.jseJScript Encoded Script File
.kshUNIX Shell Script
.lnkWindows Shortcut File
.madAccess Module Shortcut (Microsoft)
.mafAccess (Microsoft)
.magAccess Diagram Shortcut (Microsoft)
.mamAccess Macro Shortcut (Microsoft)
.maqAccess Query Shortcut (Microsoft)
.marAccess Report Shortcut (Microsoft)
.masAccess Stored Procedures (Microsoft)
.matAccess Table Shortcut (Microsoft)
.mauMedia Attachment Unit
.mavAccess View Shortcut (Microsoft)
.mawAccess Data Access Page (Microsoft)
.mcfMedia Container Format
.mdaAccess Add-in (Microsoft), MDA Access 2 Workgroup (Microsoft)
.mdbAccess Application (Microsoft), MDB Access Database (Microsoft)
.mdeAccess MDE Database File (Microsoft)
.mdtAccess Add-in Data (Microsoft)
.mdwAccess Workgroup Information (Microsoft)
.mdzAccess Wizard Template (Microsoft)
.mscMicrosoft Management Console Snap-in Control File (Microsoft)
.mshMicrosoft Shell
.msh1Microsoft Shell
.msh2Microsoft Shell
.mshxmlMicrosoft Shell
.msh1xmlMicrosoft Shell
.msh2xmlMicrosoft Shell
.msiWindows Installer File (Microsoft)
.mspWindows Installer Update
.mstWindows SDK Setup Transform Script
.msuWindows Update File
.opsOffice Profile Settings File
.osdOpen Software Description 
.pcdVisual Test (Microsoft)
.pifWindows Program Information File (Microsoft)
.plPerl script
.plgDeveloper Studio Build Log
.prfWindows System File
.prgProgram File
.printerexportPrinter backup File
.ps1Windows PowerShell
.ps1xmlWindows PowerShell
.ps2Windows PowerShell
.ps2xmlWindows PowerShell
.psc1Windows PowerShell
.psc2Windows PowerShell
.psd1Windows PowerShell
.psdm1Windows PowerShell
.pstMS Exchange Address Book File, Outlook Personal Folder File (Microsoft)
.pyPython Script
.pycPython Script
.pyoPython Script
.pywPython Script
.pyzPython Script
.pyzwPython Script
.regRegistration Information/Key for W95/98, Registry Data File
.scfWindows Explorer Command
.scrWindows Screen Saver
.sctWindows Script Component, Foxpro Screen (Microsoft)
.shbWindows Shortcut into a Document
.shsShell Scrap Object File
.themeDesktop Theme File Settings
.tmpTemporary File/Folder
.urlInternet Location
.vbVBScript File or Any Visual Basic Source
.vbeVBScript Encoded Script File
.vbpVisual Basic Project File
.vbsVBScript Script File, Visual Basic for Applications Script
.vhdVirtual Hard Disk
.vhdxVirtual Hard Disk Extended
.vsmacrosVisual Studio .NET Binary-based Macro Project (Microsoft)
.vswVisio Workspace File (Microsoft)
.webpnpInternet Printing File
.websitePinned Site Shortcut from Internet Explorer
.wsWindows Script File
.wscWindows Script Component
.wsfWindows Script File
.wshWindows Script Host Settings File
.xbapBrowser Applications
.xllExcel Addin
.xnkExchange Public Folder Shortcut


Microsoft Learn. (2023, March 29). OneNote blocks embedded files that have dangerous extensions – Deploy Office | Microsoft Learn.

SecurityWeek. (2023, April 3). Microsoft OneNote Starts Blocking Dangerous File Extensions – SecurityWeek.