Microsoft will introduce improved protection against phishing attacks that deliver malware via malicious Microsoft OneNote files.

In a new Microsoft 365 roadmap entry released today titled “Microsoft OneNote: Improved protection against known high-risk phishing file types,” the company revealed that this change will likely reach general availability before the end. April 2023.

“We’re adding stronger protection when users open or download an embedded file in OneNote,” Redmond explain.

“Users will receive a notification when files are deemed unsafe to improve the file protection experience in OneNote on Windows.”

This comes after a recent wave of phishing attacks where threat actors used maliciously crafted OneNote documents with “.one” file extensions and embedded files hidden behind overlays asking targets to click to view the document.

A double-click launches the embedded file, which may seem innocuous but can have serious consequences.

Unfortunately, even when they receive security warnings, users often ignore them and let the file run, potentially putting their entire corporate network at risk.

Hidden OneNote Embedded Files
Hidden OneNote Embedded Files (BleepingComputer)

It’s a lesson everyone should have learned from previous phishing attacks that took advantage of Microsoft Office macros.

Unfortunately, it only takes one user to accidentally run a malicious file to become infected with information-stealing malware or, even worse, trigger a ransomware attack.

To thwart phishing attacks using malicious Microsoft OneNote attachments, you can configure secure email gateways or email servers to automatically block OneNote documents with .one extensions.

Windows administrators can also use Microsoft Office Group Policies to prevent embedded OneNote files from launching.

To do this, you need to install the Microsoft 365/Microsoft Office Group Policy Templates and enable the Microsoft OneNote policies “Disable Embedded Files” and “Blocked Embedded File Extensions”.

Microsoft OneNote Group Policies
Microsoft OneNote Group Policies (BleepingComputer)

Hackers have been using OneNote documents in spear phishing campaigns for mid-December 2022like Trustwace too reported earlier this week.

Attackers have been spotted misusing OneNote files for a variety of malicious purposes, including download and install malware payloads as information thieves.

The switch to OneNote came after Microsoft finally Word and Excel macros disabled by default And patched a MoTW zero-day bypass used to distribute malware via ISO and ZIP files.

Source link