OneNote Phishing 2023:
What to Quarantine Before Your Team Clicks

OneNote: A Good Place to Hide Bad Things

OneNote files can contain embedded attachments and scripts. By embedding a malicious script (typically a .cmd, .bat, .vbs, or .hta file) inside a OneNote file, attackers can deliver code that runs on the target's machine with a single click - bypassing many email security filters that focus on known malicious extensions.

The attack flow is straightforward: the victim receives an email with a .one file attachment, often disguised as a shipping notification, invoice, or voicemail. They open the OneNote file. The file contains an overlay image (often a fake "Click to View" button). Clicking the image triggers the embedded script, which downloads and executes ransomware or a remote access tool.

OneDrive does display a warning when you click on a script embedded in a OneNote file - but users who previously dismissed this warning by selecting "Don't show me this again" are now completely unprotected by that safeguard. This is why system-level controls matter more than relying on users to notice warnings.

What to Quarantine

At the email gateway level, ThreeShield recommends quarantining or blocking the following attachment types unless there is a documented business need for them:

• .one - OneNote files (primary vector in this campaign)
• .hta - HTML Application files (execute as scripts)
• .vbs, .vbe - VBScript files
• .js, .jse - JavaScript files sent as attachments
• .wsf, .wsh - Windows Script files
• .cmd, .bat - Command and batch files
• .ps1 - PowerShell scripts
• Password-protected .zip files where the password is sent in the same email

This list should be reviewed in context of your business. If your organization legitimately receives OneNote files from external parties, a more targeted approach (allow from known domains, block from unknown) may be appropriate.

What If You're Not Quarantining Yet

If you aren't blocking these attachment types at the email gateway, user awareness is your primary mitigation - but it's unreliable. Train staff to:

• Never click "Enable" or "Allow" on any document prompting them to do so from an email attachment
• Treat any OneDrive warning about embedded scripts as a hard stop
• Report unexpected attachments - even from known senders - to IT before opening

ThreeShield's managed clients have these extensions blocked at the gateway as part of our baseline email security configuration. For Microsoft 365 environments, this is configurable in Exchange Online Protection and Defender for Office 365.