Microsoft hardens OneNote against Phishing attacks
Microsoft plans to roll out an update for OneNote in April 2023 to improve the product's protection against "known high risk" phishing attacks. A new entry on the official Microsoft 365 Roadmap, a website that tracks upcoming product changes to all Microsoft 365 applications, confirms the security feature.
OneNote is a note taking application that is available as a Web version, for Windows and Mac systems, as well as Apple and Android mobile devices.
Use of Microsoft OneNote in phishing attacks has increased in recent years. TrustWave described one such attack in January 2023 on the company's blog. Threat actors used OneNote's native .one file format in their email phishing attacks.
OneNote is part of Microsoft Office and Microsoft 365, and it is also available as a free app for Windows on the Microsoft Store. The threat actors used an execution chain that began with the execution of the OneNote file in the mail client, and ended with the execution of a malicious executable file on the Windows system.
Users who opened the OneNote attachment were presented with a blurry image and a "view document" button. Clicks on the button launched a security prompt, which warned users that the opening of attachments could harm the computer and data. Users who clicked on the ok button executed a WSF file in OneNote. WSF, Windows Script File, is used by the Microsoft Windows Script host. If the user ignored the security warning, PowerShell commands were run by the embedded WSF file in OneNote to download and execute files from the Internet.
OneNote: improved phishing protections
To improve the protection of Windows users, Microsoft will roll out changes to OneNote. The company highlights the change on the Microsoft 365 Roadmap website in the following way: "We add enhanced protection when users open or download an embedded file in OneNote. Users will receive a notification when the files deem dangerous to improve the file protection experience in OneNote on Windows."
Dangerous files, those downloaded from unknown sources, such as the Internet, will not be executed immediately anymore by OneNote. Microsoft OneNote displays a prompt to users that informs them about potential dangers.
The description is vague, as it omits certain information. It is unclear how the notification looks like, and if it will include options to load the OneNote file despite the warning that Microsoft displays. Microsoft lists only the Web as the platform for the change, and not the desktop. Microsoft added the improvement to the roadmap on March 10, 2023 and plans to roll it out in April 2023.
Closing Words
Microsoft Office file formats are widely used in phishing attacks. Microsoft improved protection against malicious macros in Office documents in 2022, and uncovered a phishing attack against Office that had the power to circumvent multi-factor authentication.
Microsoft launched the new OneNote for Windows recently.
Now You: do you use OneNote?
