James Gillespie 15 November, 2023

Avoiding Microsoft OneNote attachments spreading malware on your network

OneNote is note-taking software, developed by Microsoft and is included in the default Office suite bundle. In recent years, OneNote files have become popular channels for attackers to distribute malware, given their common installation and Microsoft's organisational measures to block macros from running in Excel and Word.

Utilising OneNote as a distribution method is relativity straightforward, an attacker simply needs to embed a file, typically a VB script, that downloads malware from a server they control and then convince a victim to open it. The latter can be achieved with some form of social engineering.

Blocking malicious Microsoft OneNote files

An initial step is to block OneNote files, identified by the .one file extension, at the email and web perimeter. However, this is only the first part and for the most comprehensive solution, Group Policy should be used to block embedded files and additional file extensions. With these set, a malicious OneNote can arrive, but the embedded files and links within it will be disabled. 

If you do not use Group Policy for device management, you should apply the same settings within the Cloud Policy service. Using the Cloud Policy service will also ensure the policies detailed below are applied to all instances of OneNote that a user signs into.

Blocking embedded files

To block embedded files in a OneNote file, enable ‘Disable embedded files’ under: User Configuration\Policies\Administrative Templates\Microsoft OneNote 2016\OneNote Options\Other.

Local Group Policy Editor showing the 'Disable Embedded Files' setting listed in the article 'Enabled'


Blocking additional file extensions

Blocking file extensions that exist in a OneNote file requires ‘Embedded Files Blocked Extensions’ to be enabled under: User Configuration\Policies\Administrative Templates\Microsoft OneNote 2016\OneNote Options\Other. This requires including a list of extensions; the complete supported list can be found here. It’s recommended all 120 are included but there may be an exception. If that is the case, users should be made aware of the risk associated with opening the specific exceptions in a OneNote file.

Local Group Policy Editor window showing Embedded Files Blocked Extensions set to 'Enabled'

See also


Improve your security

Our experienced team will identify and address your most critical information security concerns.