On 28 March Microsoft announced that, starting with update 2304 (April 2023), OneNote will begin blocking 120 different file extensions from being opened from within the application. This is in response to the increase in threat actors using OneNote as an alternative to macro files, which Microsoft has previously blocked. Prior to this update, OneNote (like other Office applications) would warn users that the attachment may have been dangerous but allowed them to still open the file. With this update, users will have to save the embedded file to the device, and then open it. This update is limited to OneNote for Microsoft 365 on Windows exclusively. Administrators can allowlist specific file extensions via group policy.
The list of blocked file extensions is as follows:
This secure-by-default strategy is a positive step forward and will help administrators better secure their users against phishing attacks. Companies should apply the update as soon as their patching schedule allows. Eventually, threat actors will find other avenues to deploy malware via phishing emails, but the reduction in attack surface will make it more difficult to successfully accomplish and easier to detect. Companies are well-served to still leverage tools to scan email attachments for malicious documents in addition to this update to adopt a robust defense-in-depth strategy.