The seemingly innocuous Microsoft OneNote file has turn out to be a well-liked file format utilized by hackers to unfold malware and breach company networks. Here is the best way to block malicious OneNote phishing attachments from infecting Home windows.
To provide just a little background on how we bought to Microsoft OneNote recordsdata turning into the instrument of selection for malware-distributing phishing assaults, we first want to elucidate how we bought right here.
Menace actors have been abusing macros in Microsoft Phrase and Excel paperwork for years to obtain and set up malware on Home windows units.
After Microsoft lastly disabled macros by default in Phrase and Excel Workplace paperwork, risk actors started turning to different much less generally used file codecs to distribute malware, reminiscent of ISO recordsdata and password-protected ZIP archives.
These had been in style file codecs as a Home windows bug allowed recordsdata in ISO photos to bypass Mark-of-the-Internet (MoTW) safety warnings, and the favored 7-Zip archive utility didn’t propagate MoTW flags to recordsdata extracted from ZIP archives.
Nevertheless, after each 7-Zip and Home windows fastened these bugs, Home windows as soon as once more started displaying scary safety warnings when a person tried to open recordsdata in downloaded ISO and ZIP recordsdata, inflicting risk actors to search out one other file format to make use of in assaults.
Since mid-December, risk actors have turned to a different file format for distributing malware – Microsoft OneNote attachments.
Why Microsoft OneNote?
Microsoft OneNote attachments use the ‘.one‘ file extension and are an attention-grabbing selection, as they don’t distribute malware via macros or vulnerabilities.
As a substitute, risk actors create intricate templates that seem like a protected doc with a message to ‘double-click’ a design factor to view the file, as proven under.
What you don’t see from the above attachment, although, is that the ‘Double Click on to View File’ is definitely hiding a sequence of embedded recordsdata that sit beneath the button layer, as illustrated under.
When double-clicking on the button, you might be double-clicking on the embedded file and inflicting the file to launch.
Whereas double-clicking an embedded file will show a safety warning, as we all know from earlier phishing assaults abusing Microsoft Workplace macros, customers generally ignore warnings and permit the file to run anyway.
Sadly, you simply want one person to by chance permit a malicious file to run for a whole company community to be compromised in a full blown ransomware assault.
And this isn’t theoretical, as in some Microsoft OneNote QakBot campaigns, safety researchers have discovered that they finally led to a ransomware assault, such as BlackBasta, on a compromised community.
The way to block malicious Microsoft OneNote recordsdata
One of the simplest ways to stop malicious Microsoft OneNote attachments from infecting Home windows is to dam the ‘.one‘ file extension at your safe mail gateways or mail servers.
Nevertheless, if that isn’t attainable to your surroundings, you too can use Microsoft Workplace group insurance policies to limit the launching of embedded file attachments in Microsoft OneNote recordsdata.
First, set up the Microsoft 365/Microsoft Workplace group coverage templates to get began with Microsoft OneNote insurance policies.
Now that the insurance policies are put in, you’ll find new Microsoft OneNote insurance policies named ‘Disable embedded recordsdata’ and ‘Embedded Information Blocked Extensions,’ as proven under.
The ‘Disable embedded recordsdata‘ group coverage is probably the most restrictive because it prevents all embedded OneNote recordsdata from being launched. It is best to allow this selection when you have no use case for utilizing embedded OneNote attachments.
“To disable the power to embed recordsdata on a OneNote web page, so folks can not transmit recordsdata that may not be caught by anti-virus software program, and many others,” reads the group coverage description.
When enabled, the next Home windows Registry key shall be created. Be aware that the paths might differ relying in your Microsoft Workplace model.
Home windows Registry Editor Model 5.00
Now, when a person makes an attempt to open any attachments embedded in a Microsoft OneNote doc, they’ll obtain the next error.
A much less restrictive choice, however probably extra unsafe, is the ‘Embedded Information Blocked Extensions‘ group coverage, which lets you enter an inventory of embedded file extensions that shall be blocked from opening in a Microsoft OneNote doc.
“To disable the power of the customers in your group from having the ability to open a file attachment of a particular file kind from a Microsoft OneNote web page, add the extensions you need to disable utilizing this format: ‘.ext1;.ext2;’,” reads the coverage description.
“f you need to disable the opening of any attachment from a OneNote web page, see the Disable embedded recordsdata coverage. You can’t block embedded audio and video recordings (WMA & WMV) with this coverage as an alternative discuss with the Disable embedded recordsdata coverage.”
When enabled, the next Home windows Registry key shall be created with the checklist of blocked extensions you entered.
Home windows Registry Editor Model 5.00
Now, when a person makes an attempt to open a blocked file extension in a Microsoft OneNote doc, they’ll obtain the next error.
Some prompt file extensions to dam are .js, .exe, .com, .cmd, .scr, .ps1, .vbs, and .lnk. Nevertheless, as risk actors uncover new file extensions to abuse, this checklist could also be bypassed by different malicious file varieties.
Whereas blocking any file kind will not be at all times an ideal resolution as a consequence of an surroundings’s necessities, the outcomes of not doing something to limit the abuse of Microsoft OneNote recordsdata could be even worse.
Due to this fact, it’s strongly suggested to dam OneNote attachments, or not less than the abuse of embedded file varieties, in your surroundings to stop a cyberattack.