OneNote joins other Office apps in blocking malicious file extensions to deter malware spread

Reading time icon 3 min. read


Readers help support MSPoweruser. When you make a purchase using links on our site, we may earn an affiliate commission. Tooltip Icon

Read the affiliate disclosure page to find out how can you help MSPoweruser effortlessly and without spending any money. Read more

Microsoft will finally implement a new security measure in OneNote, preventing the spread of malware through malicious file extensions. This puts OneNote on the list of other Office apps (Outlook, Word, Excel, and PowerPoint) that now block the same malicious file extensions:

.ade, .adp, .app, .application, .appref-ms, .asp, .aspx, .asx, .bas, .bat, .bgi, .cab, .cer, .chm, .cmd, .cnt, .com, .cpl, .crt, .csh, .der, .diagcab, .exe, .fxp, .gadget, .grp, .hlp, .hpj, .hta, .htc, .inf, .ins, .iso, .isp, .its, .jar, .jnlp, .js, .jse, .ksh, .lnk, .mad, .maf, .mag, .mam, .maq, .mar, .mas, .mat, .mau, .mav, .maw, .mcf, .mda, .mdb, .mde, .mdt, .mdw, .mdz, .msc, .msh, .msh1, .msh2, .mshxml, .msh1xml, .msh2xml, .msi, .msp, .mst, .msu, .ops, .osd, .pcd, .pif, .pl, .plg, .prf, .prg, .printerexport, .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .psd1, .psdm1, .pst, .py, .pyc, .pyo, .pyw, .pyz, .pyzw, .reg, .scf, .scr, .sct, .shb, .shs, .theme, .tmp, .url, .vb, .vbe, .vbp, .vbs, .vhd, .vhdx, .vsmacros, .vsw, .webpnp, .website, .ws, .wsc, .wsf, .wsh, .xbap, .xll, .xnk

The plan to arm OneNote with such a blocking capability was first shared by Microsoft in March in its Microsoft 365 roadmap. Prior to that, a report about hackers using Microsoft OneNote attachments to spread malware surfaced in December 2022. Cybersecurity company Trustwave shared this finding, detailing how the threat actors disguise the files to lure victims into clicking them to start the attack.

“…We uncovered threat actors using a OneNote document to move Formbook malware, an information stealing trojan sold on an underground hacking forum since mid-2016 as malware-as-a-service,” Trustwave wrote in its blog last year. “Formbook malware can steal data from various web browsers and from other applications. This malware also has keylogging functionality and can take screenshots.”

Prior to the blocking of the extensions, OneNote would just show users a dialog containing a warning and allow the opening of the files. Now, this is changed by completely blocking them. Nonetheless, Microsoft noted that users can still choose to save the file to their local devices, where they can open it.

The new blocking function is only available to OneNote for Microsoft 365 (and OneNote in retail versions of Office 2021, Office 2019, and Office 2016) on Windows devices, which means OneNote on Mac, OneNote on Android or iOS devices, OneNote on the web, and OneNote for Windows 10 are not included.

Also, the release of the change will be gradual. According to the support document of Microsoft, Current Channel (Preview – Version 2304) will get this by the first half of April 2023, while the Current Channel (Version 2304) will see this change by the second half of the month. Meanwhile, the change will be implemented on Monthly Enterprise Channel (Version 2304) and Semi-Annual Enterprise Channel (Preview – Version 2308) on June 13 and September 12, respectively. Semi-Annual Enterprise Channel (Version 2308) will be the last to get it on January 9, 2024.

More about the topics: malware, Microsoft 365, onenote, OneNote for Windows, security