The publisher Microsoft will bring an expected security update to OneNote, its note-taking program. In a message of March 29, the Redmond company reports that the software will now block integrated files with dangerous extensions. Until now, OneNote simply told users through a dialog box that opening the attachment might harm the computer.
Phishing attacks
But it was still possible to open the file, a risk for users while the true nature of the generated action was mostly concealed from users. After the update, the dialog will report that the attachment cannot be opened. This update of OneNote should be deployed from April. This block affects 120 extensions, from EXE executable files to HTA hypertext applications to python scripts, for example.
Security researchers Emeric Nasi and Lance James had reported as early as August 2022 on the note-taking app’s potential for phishing attacks. In addition to this possible integration of suspicious extensions, they observed that OneNote allowed reading without protected view of malicious Excel or Word files. A potential also noticed by hacker groups. As Bleeping Computer reported, groups of attackers quickly turned to OneNote attachments to infect victims after Microsoft disabled macros in Office documents last summer.
Current campaigns
The company Trustwave, for example, reported at the beginning of December the distribution of a malicious program via an attachment in OneNote format to emails. Opening the attachment then launched the execution of a WSF file (Windows Script File) which resulted in the download of the malware.
And after also identifying six malicious campaigns in December 2022 relying on OneNote, Proofpoint researchers then observed more than fifty active campaigns in January 2023. According to the company, the flaw in OneNote’s security notably allowed the distribution of the Qbot banking malware. This is proof of the growing interest of attackers – whether cybercriminal gangs or state-sponsored groups – for this breach.