Microsoft has released further information on the increased security measures it is deploying for OneNote in order to protect users from phishing attacks that spread malware. This news follows the March 10 publication of the Microsoft 365 roadmap.
OneNote documents have been used in spear phishing operations since mid-December 2022, with malicious actors inserting hazardous files and scripts and concealing them with design features. Microsoft proposes to limit 120 file extensions, including those currently blocked by Outlook, Word, Excel, and PowerPoint, to counteract this. Users will be unable to open files with dangerous extensions when the new security feature is implemented.
From late April 2023 to late May 2023, the change will be deployed in Version 2304 in the Current Channel (Preview) for OneNote for Microsoft 365 for Windows devices. The security feature will also be available in retail versions of Office 2021, Office 2019, and Office 2016 (Current Channel), but not in volume-licensed Office editions such as Office Standard 2019 or Office LTSC Professional Plus 2021. The security update will not be available in OneNote for Windows 10, OneNote for Mac, or OneNote for Android or iOS devices.
Users will be shown a warning dialog when a file gets blocked, saying, “Your administrator has blocked your ability to open this file type in OneNote.” To block additional file extensions, users can activate the ‘Block additional file extensions for OLE embedding’ policy under User Configuration\Policies\Administrative Templates\Microsoft Office 2016\Security Settings and select the extensions they want to be blocked.
To allow specific file extensions that will soon be blocked by default, users can toggle on the ‘Allow file extensions for OLE embedding’ policy from the same location in the Group Policy Management Console and specify which extensions they wish to allow. These policies are only available for Microsoft.
The sources for this piece include an article in BleepingComputer.