OneNote is note-taking software, developed by Microsoft and is included in the default Office suite bundle. In recent years, OneNote files have become popular channels for attackers to distribute malware, given their common installation and Microsoft's organisational measures to block macros from running in Excel and Word.
Utilising OneNote as a distribution method is relativity straightforward, an attacker simply needs to embed a file, typically a VB script, that downloads malware from a server they control and then convince a victim to open it. The latter can be achieved with some form of social engineering.
Blocking malicious Microsoft OneNote files
An initial step is to block OneNote files, identified by the .one file extension, at the email and web perimeter. However, this is only the first part and for the most comprehensive solution, Group Policy should be used to block embedded files and additional file extensions. With these set, a malicious OneNote can arrive, but the embedded files and links within it will be disabled.
If you do not use Group Policy for device management, you should apply the same settings within the Cloud Policy service. Using the Cloud Policy service will also ensure the policies detailed below are applied to all instances of OneNote that a user signs into.
Blocking embedded files
To block embedded files in a OneNote file, enable ‘Disable embedded files’ under: User Configuration\Policies\Administrative Templates\Microsoft OneNote 2016\OneNote Options\Other.
Blocking additional file extensions
Blocking file extensions that exist in a OneNote file requires ‘Embedded Files Blocked Extensions’ to be enabled under: User Configuration\Policies\Administrative Templates\Microsoft OneNote 2016\OneNote Options\Other. This requires including a list of extensions; the complete supported list can be found here. It’s recommended all 120 are included but there may be an exception. If that is the case, users should be made aware of the risk associated with opening the specific exceptions in a OneNote file.