Recently it has been notified that Microsoft OneNote files (.one) is packed with malware and then mass-dispatched via email. The malware involved is known to include Redline, Qbot and Shindig but there could be other types of malware included as well.
Microsoft Onenote is a digital note-taking app which is included with Microsoft 365. When you install Microsoft 365 on your device, Onenote is also installed by default. Onenote is not a malicious program or application in itself but recently its (.one file extension) been used to distribute malware to steal data from your computer.
Users may receive a phishing email with Microsoft Onenote file attachment. When a user opens this file, it presents with a button whcih says “Double Click to View File“.
When users click on it, it executes some batch script files in the background. According to Rapid 7 Analysis. The malware has the capability to steal credentials related to cryptocurrency wallets, Discord data, as well as web browser data including cached cookies.
Therefore, its advisable to block any email sent or received which has a file attachment with
.one extension. In this blog post, we will different ways to protect your organization against this threat which includes blocking emails with dangerous file attachments.
If you want to Search for all the emails which users have received with File attachment having extension of .one. You can follow the blog post: Search and Export emails with Specific File attachment Extension In Microsoft 365. This blog post provided step by step information on how to search for and export the emails either in a CSV file or PST.
How to block emails with .One File attachment extention
We will see how you can block emails which are sent or received [Inbound or Outbound] with
.one file attachment. You can use the same steps to block other types of File attachment extensions as well. However, as we want to mitigate recent threat which involves .one file extension, we will first look at this to see how this can be blocked.
Option1 – Create a Rule in Exchange Online
We will create a rule in Exchange Online which will block any emails sent or received with file attachment having
.one extension. Please follow below steps for the same:
- Login on Exchange Admin center using either Global administrator or Exchange administrator role.
- Go to Mail Flow and then Click on Rules.
- Click on +Add a rule > Create a new rule.
Please provide below information for configuring Rule conditions:
- Name: Block Emails with .One File Attachment Extension
- Apply this rule if: Any attachment and File extension include these words.
- Specify words or phrases: one [without the dot]
- Do the following: Block the message and reject the message and include an explanation.
- Specify rejection reason: This email is rejected due to Invalid File Extension Type.
- Click on Next to proceed,
Please choose below options to configure Rule settings:
- Rule Mode: Enforce
- Keep rest of the settings to default.
- Click on Next to Proceed.
Review and finish
Review the rule conditions and settings configured. Once you are happy with it, click on Finish to create this rule. Please note that the rule is created in Disabled state by default. You need to enable it after it has been created.
Rule is created, As we already know its created in Disabled state. Therefore, it will not work or Impact any user at this stage. The rule needs to be enabled first.
Click on the rule and toggle the switch to Enable it.
Option 2 – Block emails with .One File attachment extension using Anti-malware Policies
As we have seen in the previous section of the post, We had created a rule in Exchange online to block emails with file attachments having .one extensions. You can also reject these type of emails by creating an anti-malware policy as well.
You can either create a new anti-Malware policy or use the existing default anti-malware policy to add a block for .one file type. I am going for creation of a new custom anti-malware policy just for blocking .one extension type.
There are two actions you can perform on the email. You can either Reject the message with a non-delivery receipt (NDR) or you can Quarantine the message using the attachment filter.
Let’s check the steps:
- Login on Microsoft 365 Defender portal as Security administrator or Global administrator.
- Go to Email and collaboration > Policies & Rules > Threat Policies.
- Under Policies > Find Anti-malware.
- Click on + Create.
Name your policy
- Name: Reject emails with .one attachments
- Description: Reject emails and send NDR for emails with .one file attachment extension.
Users and domains
Add User or Group or Domain on which you want to apply this policy. If you add User, group and domain all together, then all conditions need to match for rule to take affect.
Configure Protection settings as per below:
- Click on Select file types and then add
.onefile type into the list of extensions. Remove all other file types by clicking on X sign next to it.
- When these file types are found: Select Reject the message with a non-delivery receipt (NDR). (An NDR email will be sent to the sender. The message will not be quarantined, and no recipient or admin notifications will be sent).
- Enable ZAP (Zero-hour auto purge) – Malware ZAP quarantines messages that are found to contain malware after the messages have been delivered to Exchange Online mailboxes.
- Quarantine Policy – You can select AdminOnlyAccessPolicy to not provide any access to user to view or release the messages.
- Notification – Include admin email addresses for Internal and External senders for any undelivered emails.
Click on Submit button when the configuration of protection settings has been completed.
Testing of Exchange Online Rule
We had created a rule to block all emails with file attachment extension of .one. You can verify it by performing below testing:
- Send one test email with .one file attachment from any External domain to your organization / Internal domain.
- Send one test email with .one file attachment from an Internal / organization domain to any External domain.
- Send one test email with .one file attachment from an Internal domain to Internal domain.
Anyone sending an email with .One file attachment will receive a bounce back email with below message.
“Your message to email@example.com couldn’t be delivered. A custom mail flow rule created by an admin at xxx.onmicrosoft.com has blocked your message. This message is rejected due to file attachment type.
How to block other dangerous file Extension types using exchange online
As we have seen how to block Microsoft Onenote (.one) file attachment using Exchange Online by creating a Transport rule. You can update the rule to add any number of extensions. Go to Exchange Online admin center > Mail Flow > Rules > Click on the existing Rule we created to block .one file attachments > Edit rule conditions > Click on Extension > Add one or more extension to the list.
I am getting below error message while creating this rule in Exchange Online.
|Failed to create the new transport rule|
Error executing cmdlet: |Microsoft.Exchange.Data.DataValidationException|Name: The property “Name” with value ” Block Emails with .One File Attachment Extension” is invalid. The value can’t contain leading or trailing whitespace. Exception of type ‘Microsoft.Exchange.Management.PSDirectInvoke.DirectInvokeCmdletExecutionException’ was thrown.
Make sure the Name of the rule does not contain any spaces before or after the Name: You can go back and update the name to remove the extra spaces.
Make sure the Extension specified does not have dot (.) in the name – If you specify a dot (.) while adding extension name, for example .one then you may receive another error which will suggest to remove . from the extension name. Specify words / extensions without dot in it to create a rule successfully.
What is default anti-malware policy in Microsoft 365. Can it be deleted ?
There is a built-in anti-malware policy which is called as Default. This policy has the lowest priority and applied to the all recipients in your organization. The priority of the default policy cannot be changed and Admins can view, edit, and configure (but not delete) the default anti-malware policy to meet the needs of their organizations.
How to manage anti-malware policies using Powershell
You can manage anti-malware policies using powershell by following below steps:
- Install Exchange Online Powershell module using
- Connect to Exchange Online using
Get-MalwarefilterRuleto fetch the existing policy settings.
When you are creating anti-malware policies using powershell. Please note that its a two step process. First you need to create Malware filter policy and then Create Malware filter rule which specifies Malware filter policy where the rule is applied to.
New-MalwareFilterPolicy– Use this cmdlet to create a malware filter policy.
New-MalwareFilterRule– Use this cmdlet to create a malware filter rule.
Modify existing Malware filter Policy
Set-MalwareFilterPolicy– Use this cmdlet to modify malware filter policies.
Set-MalwareFilterRule– Use this cmdlet to modify malware filter rules.
In this blog post, we have seen how to block emails sent and received with File attachment extension .one. You can also add more extensions into the list to block other dangerous extension types such as .exe or .vbs etc. You can check the dangerous extension list from Microsoft defender portal in Default anti-malware policy.
There is a default anti-malware policy which quarantines any message with below dangerous extensions:
ace, apk, app, appx, ani, arj, bat, cab, cmd,com, deb, dex, dll, docm, elf, exe, hta, img, iso, jar, jnlp, kext, lha, lib, library, lnk, lzh, macho, msc, msi, msix, msp, mst, pif, ppa, ppam, reg, rev, scf, scr, sct, sys, uif, vb, vbe, vbs, vxd, wsc, wsf, wsh, xll, xz, z
There are other pre-defined file types which can be added in the anti-malware policy:
7z, 7zip, a, accdb, accde, action, ade, adp, appxbundle, asf, asp, aspx, avi, bin, bundle, bz, bz2, bzip2, cab, caction, cer, chm, command, cpl, crt, csh, css, der, dgz, dmg, doc, docx, dot, dotm, dtox, dylib, font, gz, gzip, hlp, htm, html, imp, inf, ins, ipa, isp, its, jnlp, js, jse, ksh, lqy, mad, maf, mag, mam, maq, mar, mas, mat, mav, maw, mda, mdb, mde, mdt, mdw, mdz, mht, mhtml, mscompress, msh, msh1, msh1xml, msh2, msh2xml, mshxml, msixbundle, o, obj, odp, ods, odt, one, onenote, ops, package, pages, pbix, pdb, pdf, php, pkg, plugin, pps, ppsm, ppsx, ppt, pptm, pptx, prf, prg, ps1, ps1xml, ps2, ps2xml, psc1, psc2, pst, pub, py, rar, rpm, rtf, scpt, service, sh, shb, shtm, shx, so, tar, tarz, terminal, tgz, tool, url, vhd, vsd, vsdm, vsdx, vsmacros, vss, vssx, vst, vstm, vstx, vsw, workflow, ws, xhtml, xla, xlam, xls, xlsb, xlsm, xlsx, xlt, xltm, xltx, zi, zip, zipx.