According to the Microsoft 365 roadmap, Microsoft plans to release an update to OneNote in April this year to improve the product’s ability to protect against “known high-risk” phishing attacks.
The reason why Microsoft is introducing this feature is because TrustWave reported such phishing tools in January this year. Attackers used OneNote’s native .one file format to launch phishing attacks by distributing emails.
Users who open a OneNote attachment see a blurry thumbnail and a “View Document” button. Clicking the button launches a security alert warning the user that opening the attachment may harm the computer and data. The user who clicked the OK button executed a WSF file in OneNote.
WSF, Windows Script File, used by Microsoft Windows Script Host. If the user ignores the security warning, the WSF file embedded in OneNote runs a PowerShell command to download and execute the file from the Internet.
