Forum Discussion

Joshua Bines's avatar
Joshua Bines
Iron Contributor
Mar 09, 2023
Solved

Onenote Files used in Malware attacks

Hi Folks, 

 

Any comments or recommendations regarding the increase of attacks via onenote files as noted in the below articles? I'm seeing a increased number of recommendations for blocking .one and .onepkg mail attachments. One issue is onepkg files currently cannot be added to the malware filter. 

 

https://www.securityweek.com/microsoft-onenote-abuse-for-malware-delivery-surges/

https://labs.withsecure.com/publications/detecting-onenote-abuse

 

B

Joshua

 

 

email security
endpoint security
microsoft 365 defender
  • Joshua Bines's avatar
    Joshua Bines
    Mar 13, 2023

    Thanks, yes I've read that one but I wonder if this is really needed if you have edr in block mode for example. I was hoping for a response from MS regarding this uptick in onenote malware and how these attacks can be mitigated by defender.

     

    Here is my compiled list: 

     

    • Block ‘.one’ '.onenote' and '.onepkg' attachments at the network perimeter or with an anti-phishing solution if ‘.one’ files are not business-critical. Email and Web Proxy if possible. 
    • Block All Office Applications From Creating Child Processes (Microsoft Defender)
      • Recommend preventing all Office applications from creating child processes using Attack Surface Reduction(ASR) rules.
      • Run the PowerShell command: Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
      • This rule can also be set to ‘audit mode’ by changing ‘Enable’ to ‘AuditMode’' in the PowerShell command. This change will create eventlogs, but not block processes. More information about ASR rules: can be found in the corresponding Microsoft documentation.
    • Block Office Applications From Creating Executable Content
      • Recommends preventing all Office applications from creating executable content.
      • Run the PowerShell command: Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enable
      • This rule can also be set to ‘audit mode’ by changing ‘Enable’ to ‘AuditMode’ in the PowerShell command. This change will create eventlogs, but not block processes.More information about ASR rules: can be found in the corresponding Microsoft documentation.
    • User awareness training

     

    Another helpful url... https://www.rapid7.com/blog/post/2023/01/31/rapid7-observes-use-of-microsoft-onenote-to-spread-redline-infostealer-malware/

3 Replies

  • rooclowntech's avatar
    rooclowntech
    Occasional Reader
    Nov 25, 2025

    The attacks using OneNote have increased in recent years. Recommendations:

    1. Block .one and .onepkg attachments at the mail gateway.
    2. Ensure that your ASR rules are enabled.
    3. If blocking is not possible, then use a defender for the endpoint. Go to “safe attachments” as it can open the file in a secure sandbox. This will catch harmful files before they reach your device. 
    4. Turn on the Microsoft security features.
  • ambarishrh's avatar
    ambarishrh
    Iron Contributor
    Mar 12, 2023

    Joshua Bines  Recommendation from bleeping computer article

     

    https://www.bleepingcomputer.com/news/security/how-to-prevent-microsoft-onenote-files-from-infecting-windows-with-malware/

     

     

    • Joshua Bines's avatar
      Joshua Bines
      Iron Contributor
      Mar 13, 2023

      Thanks, yes I've read that one but I wonder if this is really needed if you have edr in block mode for example. I was hoping for a response from MS regarding this uptick in onenote malware and how these attacks can be mitigated by defender.

       

      Here is my compiled list: 

       

      • Block ‘.one’ '.onenote' and '.onepkg' attachments at the network perimeter or with an anti-phishing solution if ‘.one’ files are not business-critical. Email and Web Proxy if possible. 
      • Block All Office Applications From Creating Child Processes (Microsoft Defender)
        • Recommend preventing all Office applications from creating child processes using Attack Surface Reduction(ASR) rules.
        • Run the PowerShell command: Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
        • This rule can also be set to ‘audit mode’ by changing ‘Enable’ to ‘AuditMode’' in the PowerShell command. This change will create eventlogs, but not block processes. More information about ASR rules: can be found in the corresponding Microsoft documentation.
      • Block Office Applications From Creating Executable Content
        • Recommends preventing all Office applications from creating executable content.
        • Run the PowerShell command: Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enable
        • This rule can also be set to ‘audit mode’ by changing ‘Enable’ to ‘AuditMode’ in the PowerShell command. This change will create eventlogs, but not block processes.More information about ASR rules: can be found in the corresponding Microsoft documentation.
      • User awareness training

       

      Another helpful url... https://www.rapid7.com/blog/post/2023/01/31/rapid7-observes-use-of-microsoft-onenote-to-spread-redline-infostealer-malware/

Resources