Microsoft will block 120 high-risk file extensions in OneNote
As a consequence of ongoing phishing campaigns using Microsoft OneNote, Microsoft announced that it would harden the application against phishing attacks in early March 2023. Microsoft planned to start the rollout of the security change in April 2023. The company has now published several support documents that provide system administrators and users with additional information.
The main change that Microsoft will introduce changes how 120 high-risk file extensions are handled by the application. OneNote showed a warning to users when they were about to open a high-risk attachment. Users were able to bypass the warning to open the extension.
The OneNote update will block the direct opening of embedded files, if the file extension is on Microsoft's list of dangerous extensions.
OneNote users see "Your administrator has blocked your ability to open this file type in OneNote". The dialog has just an ok button, and a close window control, but no option anymore to execute the embedded file.
The high risk file extensions match the filter lists of other Microsoft products, including Outlook. The full list is available on this support page. It includes common file extensions such as .exe, .iso or .bat, but also many lesser known file extensions.
Here is the full list of blocked extensions:
.ade .adp .app .application .appref-ms .asp .aspx .asx .bas .bat .bgi .cab .cer .chm .cmd .cnt .com .cpl .crt .csh .der .diagcab .exe .fxp .gadget .grp .hlp .hpj .hta .htc .inf .ins .iso .isp .its .jar .jnlp .js .jse .ksh .lnk .mad .maf .mag .mam .maq .mar .mas .mat .mau .mav .maw .mcf .mda .mdb .mde .mdt .mdw .mdz .msc .msh .msh1 .msh2 .mshxml .msh1xml .msh2xml .msi .msp .mst .msu .ops .osd .pcd .pif .pl .plg .prf .prg .printerexport .ps1 .ps1xml .ps2 .ps2xml .psc1 .psc2 .psd1 .psdm1 .pst .py .pyc .pyo .pyw .pyz .pyzw .reg .scf .scr .sct .shb .shs .theme .tmp .url .vb .vbe .vbp .vbs .vhd .vhdx .vsmacros .vsw .webpnp .website .ws .wsc .wsf .wsh .xbap .xll .xnk
Administrators may add more file extensions to the blocklist. They may use the Block additional file extensions for OLE embedding” policy for that, which is found under User Configuration\Policies\Administrative Templates\Microsoft Office 2016\Security Settings in the Group Policy Management Console.
Another option is to use the Cloud Policy service for Microsoft 365. The policies are only available for Microsoft 365 apps for enterprise, and not for Microsoft Apps for Business. Microsoft notes further that administrators should not use the "Embedded Files Blocked Extensions" policy, but without explanation.
There is also a policy to allow certain blocked file extensions. This is handled by "Allow file extensions for OLE embedding" found under User Configuration\Policies\Administrative Templates\Microsoft Office 2016\Security Settings in the Group Policy Management Console. Changes made to this policy do affect other Microsoft 365 apps, including Word, Excel and PowerPoint.
How to bypass the embedded file block in OneNote
OneNote users can't open high-risk files, based on their extension, anymore directly. Microsoft notes that users may save the embedded files to the local system to execute them there, provided that they trust the sender. Security solutions may block the execution of these saved files, however.
OneNote versions that support the change
The change affects OneNote for Microsoft 365 and OneNote in retail versions of Office. It does not affect OneNote for Mac, Android and iOS, OneNote on the web, OneNote for Windows 10, or OneNote in volume licensed versions of Office.
Update channel | Version | Release date |
---|---|---|
Current Channel (Preview) | Version 2304 | First half of April 2023 |
Current Channel | Version 2304 | Second half of April 2023 |
Monthly Enterprise Channel | Version 2304 | June 13, 2023 |
Semi-Annual Enterprise Channel (Preview) | Version 2308 | September 12, 2023 |
Semi-Annual Enterprise Channel | Version 2308 | January 9, 2024 |
OneNote in retail versions of Office follows the Current Channel release data.
Okay that error message has “triggered” me, it’s the exact same crap as when Outlook 2007 stopped being supported, and the error message contained “your administrator…”. You can’t put the blame on IT departments for changes YOU make, Microsoft.
Nice movement to increase security. This should be applied to more apps as soon as possible, blocking suspicious file extensions or common patterns of malware and so forth. Thanks for the article!
You might not think that when something you want but Microsoft does not like for whatever reason (you can be sure that they won’t tell you why they think the extension is risky) is blocked. I always want a straightforward option to override this kind of operating system action (saving the files to a local hard drive is an option that will only be available to the very few users who are aware that they can do this).