Microsoft improved security for OneNote by blocking files with potentially hazardous extensions from the popular note-taking software.

In a Microsoft 365 security update, the company announced it will block by default the same extensions as Outlook, Word, Excel, and PowerPoint to defend users against ongoing phishing attacks associated with OneNote. 

The list includes a total of 120 extensions, including .XLL, .ISO, .BAT, and .JS, according to a Microsoft 365 support page

full list of blocked extensions

The change now completely blocks suspicious OneNote attachments instead of issuing a warning if a dangerous extension is detected. The user will instead receive a dialog stating that the administrator has restricted their ability to open the file type. 

OneNote warning with new change (Credit: Microsoft)

OneNote is a digital note-taking application bundled in the Office suite and allows users to create, organize and share notes across multiple devices. In February, multiple security firms reported an unusual surge in threat actors abusing OneNote to deliver malware. 

According to Proofpoint, six campaigns were detected using OneNote documents to deliver the AsyncRat malware in December 2022, while over 50 OneNote campaigns were discovered delivering various malware payloads in January. 

“Since Microsoft began blocking macros by default in 2022, threat actors have experimented with many new tactics, techniques, and procedures, including the use of previously infrequently observed filetypes such as virtual hard disk (VHD), compiled HTML (CHM) and now OneNote (.one),” Proofpoint said in a February blog post

Microsoft plans to roll out the feature with Version 2304 in April. The change will affect OneNote for Microsoft 365 on Windows devices. The update, however, does not affect OneNote on Mac OS, OneNote on Android or iOS devices, OneNote on the web, or OneNote for Windows 10. 

Versions of OneNote affected by the change (Credit: Microsoft)