Microsoft is adding extra protection to OneNote, one of the many productivity tools included with Microsoft 365, after hackers started abusing it to deliver malware (opens in new tab) en masse.
According to a new roadmap entry for Microsoft 365, spotted recently by BleepingComputer, OneNote will display an extra warning notification when a user tries to run a high-risk file.
In the “Microsoft OneNote: improved protection against known high risk phishing file types” article, the company said the change should be live by the end of April this year.
Alternatives to weaponized macros
“We add enhanced protection when users open or download an embedded file in OneNote,” Microsoft said in the advisory. “Users will receive a notification when the files deem dangerous to improve the file protection experience in OneNote on Windows.”
Hackers turned to OneNote after Microsoft blocked Excel from running macros in files downloaded from the internet. Macros were one of the most popular attack vectors for threat actors, but ever since the Redmond giant made the change, threat actors have been experimenting with a number of alternatives.
One that has been catching on is the distribution of OneNote files with attachments, which, like macros, can be manipulated to download and run malicious files hosted on third parties.
To make sure victims activate the attachments, the hackers would create a file that looks blurred, with a huge overlaid button saying “click here to view” or something similar. The explanation behind this approach is that the file is “protected”.
Using OneNote to deliver malware started grabbing cybersecurity pros’ attention in December last year, BleepingComputer reported, citing a Trustwave report.
Besides OneNote files, hackers have also been distributing shortcut files (.LNK), as these could come with pretty much any icon (for example, an icon of a .PDF file) and are not inherently malicious.
Via: BleepingComputer (opens in new tab)