The seemingly innocuous Microsoft OneNote file has become a popular file format used by hackers to spread malware and breach corporate networks. Here's how to block malicious OneNote phishing attachments from infecting Windows.
To give a little background on how we got to Microsoft OneNote files becoming the tool of choice for malware-distributing phishing attacks, we first need to explain how we got here.
Threat actors have been abusing macros in Microsoft Word and Excel documents for years to download and install malware on Windows devices.
After Microsoft finally disabled macros by default in Word and Excel Office documents, threat actors began turning to other less commonly used file formats to distribute malware, such as ISO files and password-protected ZIP archives.
These were popular file formats as a Windows bug allowed files in ISO images to bypass Mark-of-the-Web (MoTW) security warnings, and the popular 7-Zip archive utility did not propagate MoTW flags to files extracted from ZIP archives.
However, after both 7-Zip and Windows fixed these bugs, Windows once again began displaying scary security warnings when a user attempted to open files in downloaded ISO and ZIP files, causing threat actors to find another file format to use in attacks.
Source: BleepingComputer
Since mid-December, threat actors have turned to another file format for distributing malware - Microsoft OneNote attachments.
Why Microsoft OneNote?
Microsoft OneNote attachments use the '.one' file extension and are an interesting choice, as they do not distribute malware through macros or vulnerabilities.
Instead, threat actors create intricate templates that appear to be a protected document with a message to 'double-click' a design element to view the file, as shown below.
Source: BleepingComputer
What you do not see from the above attachment, though, is that the 'Double Click to View File' is actually hiding a series of embedded files that sit underneath the button layer, as illustrated below.
Source: BleepingComputer
When double-clicking on the button, you are double-clicking on the embedded file and causing the file to launch.
While double-clicking an embedded file will display a security warning, as we know from previous phishing attacks abusing Microsoft Office macros, users commonly ignore warnings and allow the file to run anyway.
Sadly, you just need one user to accidentally allow a malicious file to run for an entire corporate network to be compromised in a full blown ransomware attack.
And this is not theoretical, as in some Microsoft OneNote QakBot campaigns, security researchers have found that they ultimately led to a ransomware attack, such as BlackBasta, on a compromised network.
How to block malicious Microsoft OneNote files
The best way to prevent malicious Microsoft OneNote attachments from infecting Windows is to block the '.one' file extension at your secure mail gateways or mail servers.
However, if that is not possible for your environment, you can also use Microsoft Office group policies to restrict the launching of embedded file attachments in Microsoft OneNote files.
First, install the Microsoft 365/Microsoft Office group policy templates to get started with Microsoft OneNote policies.
Now that the policies are installed, you will find new Microsoft OneNote policies named 'Disable embedded files' and 'Embedded Files Blocked Extensions,' as shown below.
Source: BleepingComputer
The 'Disable embedded files' group policy is the most restrictive as it prevents all embedded OneNote files from being launched. You should enable this option if you have no use case for using embedded OneNote attachments.
"To disable the ability to embed files on a OneNote page, so people cannot transmit files that might not be caught by anti-virus software, etc," reads the group policy description.
Source: BleepingComputer
When enabled, the following Windows Registry key will be created. Note that the paths may differ depending on your Microsoft Office version.
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\onenote\options]
"disableembeddedfiles"=dword:00000001
Now, when a user attempts to open any attachments embedded in a Microsoft OneNote document, they will receive the following error.
Source: BleepingComputer
A less restrictive option, but potentially more unsafe, is the 'Embedded Files Blocked Extensions' group policy, which allows you to input a list of embedded file extensions that will be blocked from opening in a Microsoft OneNote document.
"To disable the ability of the users in your organization from being able to open a file attachment of a specific file type from a Microsoft OneNote page, add the extensions you want to disable using this format: '.ext1;.ext2;'," reads the policy description.
"f you want to disable the opening of any attachment from a OneNote page, see the Disable embedded files policy. You cannot block embedded audio and video recordings (WMA & WMV) with this policy instead refer to the Disable embedded files policy."
Source: BleepingComputer
When enabled, the following Windows Registry key will be created with the list of blocked extensions you entered.
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\onenote\options\embeddedfileopenoptions]
"blockedextensions"=".js;.exe;.bat;.vbs;.com;.scr;.cmd;.ps1"
Now, when a user attempts to open a blocked file extension in a Microsoft OneNote document, they will receive the following error.
Source: BleepingComputer
Some suggested file extensions to block are .js, .exe, .com, .cmd, .scr, .ps1, .vbs, and .lnk. However, as threat actors discover new file extensions to abuse, this list may be bypassed by other malicious file types.
While blocking any file type is not always a perfect solution due to an environment's requirements, the results of not doing anything to restrict the abuse of Microsoft OneNote files can be even worse.
Therefore, it is strongly advised to block OneNote attachments, or at least the abuse of embedded file types, in your environment to prevent a cyberattack.
Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Comments
nauip - 2 years ago
Is there a way to block this via a powershell script?
edit: Actually this would be tricky since it will vary on the version of Office that's installed.
Brainstorming time...
NoneRain - 2 years ago
You could use Test-Path to check what path exists, and then New-Item -Path $path -Value $value (or Set-item if the reg already exists).
scpcguy - 2 years ago
Blocked .ONE attachments at our mail server several weeks or longer ago. Good information though for blocking execution by GPO.
amrakesh - 2 years ago
Any article(s) on how to block .ONE attachement on security.microsoft.com / M365. Thanks in advance.
Lawrence Abrams - 2 years ago
I believe the same GPs work in Microsoft 365. Hopefully some Microsoft 365 admins with more experience than me can confirm?
amrakesh - 2 years ago
I think i figure out how to block .one on Exchange. I created a rule that apply to attachement with extension .one and one. And exhange will block the attachement. For now I am forwarding the message to a test mailbox to review.
Icepop33 - 2 years ago
I'm confused...
"While double-clicking an embedded file will display a security warning, as we know from previous phishing attacks abusing Microsoft Office macros, users commonly ignore warnings and allow the file to run anyway."
This contradicts the stated reason for moving away from Word and Excel (after the fixes)!
Were the warnings more dire (and therefore more effective) in those programs?
If a successful breach is predicated upon the target clicking through a security warning in every case, why would attackers bother using resources to pivot to a product that I believe is used less in an enterprise setting?
Lawrence Abrams - 2 years ago
How does it contradict? Currently Microsoft Word/Excel don't let you easily bypass (you can, but it's not easy for most users).
This is why they moved to OneNote that just displays a warning when you launch.
Icepop33 - 2 years ago
I wasn't referring to users overriding default setting to enable macros in Word, but just clicking OPEN when a dialog box is strongly suggesting "You shouldn't open this file". Most people are interested in reaching their objectives in the most frictionless way possible; they are not mindful, and perhaps are even resentful of the security practices put in place to protect them from themselves, and by extension, the company. Enterprise probably will have enabled macros in some portion of their MS stack anyway. OneNote doesn't support them.
So are you saying that there is much higher resistance to clicking through a MoTW warning dialog than there is in the equivalent warning dialog when trying to open embedded files in OneNote? Is it not possible to exploit Word templates in the same way?
It seems to me that this is just another tool in the toolbox and it's not really replacing anything.
They just found yet another way to exploit the wetware with a handy feature that can be used for good or bad.
Lawrence Abrams - 2 years ago
I think we are saying the same thing.
Maybe I was unclear in my article, but the recent changes Microsoft made in Word and Excel no longer show an "Enable Content" or "Enable Editing" button. So there is no security warning to click-through.
The programs just display a message stating that macros are disabled on this document as they were downloaded from an untrusted source. There is no other way to enable them in the Office applications.
https://www.bleepstatic.com/images/news/malware/e/emotet/emotet-returns-2023/macros-disabled-warning.jpg
Instead, they have to enable them through other means in the file system.
Icepop33 - 2 years ago
I'm sure you meant "...downloaded from an untrusted source."
Ok, thanks for making it more clear for me. I appreciate what you do.
Lawrence Abrams - 2 years ago
I did and fixed.