Learn how to forestall Microsoft OneNote recordsdata from infecting Home windows with malware

The seemingly innocuous Microsoft OneNote file has develop into a well-liked file format utilized by hackers to unfold malware and breach company networks. Here is how you can block malicious OneNote phishing attachments from infecting Home windows.

To present somewhat background on how we bought to Microsoft OneNote recordsdata changing into the instrument of selection for malware-distributing phishing assaults, we first want to elucidate how we bought right here.

Menace actors have been abusing macros in Microsoft Phrase and Excel paperwork for years to obtain and set up malware on Home windows gadgets.

After Microsoft finally disabled macros by default in Phrase and Excel Workplace paperwork, menace actors started turning to different much less generally used file codecs to distribute malware, reminiscent of ISO recordsdata and password-protected ZIP archives.

These had been widespread file codecs as a Home windows bug allowed recordsdata in ISO pictures to bypass Mark-of-the-Internet (MoTW) safety warnings, and the favored 7-Zip archive utility didn’t propagate MoTW flags to recordsdata extracted from ZIP archives.

Nevertheless, after each 7-Zip and Windows fixed these bugs, Home windows as soon as once more started displaying scary safety warnings when a consumer tried to open recordsdata in downloaded ISO and ZIP recordsdata, inflicting menace actors to seek out one other file format to make use of in assaults.

Since mid-December, menace actors have turned to a different file format for distributing malware – Microsoft OneNote attachments.

Why Microsoft OneNote?

Microsoft OneNote attachments use the ‘.one‘ file extension and are an fascinating selection, as they don’t distribute malware via macros or vulnerabilities.

As a substitute, menace actors create intricate templates that seem like a protected doc with a message to ‘double-click’ a design aspect to view the file, as proven beneath.

What you don’t see from the above attachment, although, is that the ‘Double Click on to View File’ is definitely hiding a sequence of embedded recordsdata that sit beneath the button layer, as illustrated beneath.

When double-clicking on the button, you might be double-clicking on the embedded file and inflicting the file to launch.

Whereas double-clicking an embedded file will show a safety warning, as we all know from earlier phishing assaults abusing Microsoft Workplace macros, customers generally ignore warnings and permit the file to run anyway.

Sadly, you simply want one consumer to by accident permit a malicious file to run for a complete company community to be focused in a full blown ransomware assault.

And this isn’t theoretical, as in some Microsoft OneNote QakBot campaigns, safety researchers have discovered that they in the end led to a ransomware assault, such as BlackBasta, on a compromised community.

Learn how to block malicious Microsoft OneNote recordsdata

The easiest way to forestall malicious Microsoft OneNote attachments from infecting Home windows is to dam the ‘.one‘ file extension at your safe mail gateways or mail servers.

Nevertheless, if that isn’t doable in your setting, you may as well use Microsoft Workplace group insurance policies to limit the launching of embedded file attachments in Microsoft OneNote recordsdata.

First, set up the Microsoft 365/Microsoft Office group policy templates to get began with Microsoft OneNote insurance policies.

Now that the insurance policies are put in, you will discover new Microsoft OneNote insurance policies named ‘Disable embedded recordsdata’ and ‘Embedded Information Blocked Extensions,’ as proven beneath.

The ‘Disable embedded recordsdata‘ group coverage is probably the most restrictive because it prevents all embedded OneNote recordsdata from being launched. It’s best to allow this feature when you’ve got no use case for utilizing embedded OneNote attachments.

“To disable the power to embed recordsdata on a OneNote web page, so individuals can not transmit recordsdata that may not be caught by anti-virus software program, and so forth,” reads the group coverage description.

When enabled, the next Home windows Registry key might be created. Word that the paths could differ relying in your Microsoft Workplace model.

Now, when a consumer makes an attempt to open any attachments embedded in a Microsoft OneNote doc, they may obtain the next error.

A much less restrictive choice, however doubtlessly extra unsafe, is the ‘Embedded Information Blocked Extensions‘ group coverage, which lets you enter a listing of embedded file extensions that might be blocked from opening in a Microsoft OneNote doc.

“To disable the power of the customers in your group from with the ability to open a file attachment of a particular file kind from a Microsoft OneNote web page, add the extensions you wish to disable utilizing this format: ‘.ext1;.ext2;’,” reads the coverage description.

“f you wish to disable the opening of any attachment from a OneNote web page, see the Disable embedded recordsdata coverage. You can’t block embedded audio and video recordings (WMA & WMV) with this coverage as a substitute check with the Disable embedded recordsdata coverage.”

When enabled, the next Home windows Registry key might be created with the checklist of blocked extensions you entered.

Now, when a consumer makes an attempt to open a blocked file extension in a Microsoft OneNote doc, they may obtain the next error.

Some recommended file extensions to dam are .js, .exe, .com, .cmd, .scr, .ps1, .vbs, and .lnk. Nevertheless, as menace actors uncover new file extensions to abuse, this checklist could also be bypassed by different malicious file sorts.

Whereas blocking any file kind shouldn’t be at all times an ideal answer as a result of an setting’s necessities, the outcomes of not doing something to limit the abuse of Microsoft OneNote recordsdata could be even worse.

Subsequently, it’s strongly suggested to dam OneNote attachments, or at the very least the abuse of embedded file sorts, in your setting to forestall a cyberattack.