Digital Information for NFPs

What you need to know about the recent OneNote vulnerability

Posted on March 30, 2023

Estimated reading time minutes

A recently discovered cybersecurity vulnerability within Microsoft OneNote could mean your business is at risk of a data breach or ransom from threat actors. In this article, we’re looking at everything you need to know about the threat, including how it works, how big the problem is, how we’re supporting our clients through our SOC services, and what you can do.

Read on to learn more about the security flaw within this commonly-used piece of software, how it fits within the larger threat landscape, and how you can protect your data from malicious actors.

What know about the OneNote vulnerability:

How it works

Microsoft data suggests threat actors have been leveraging OneNote documents in their cyberattacks since late last year. Threat actors typically embed malicious links or files within OneNote’s files, otherwise known as Notebooks, which when clicked upon, result in the device installing and executing malware from the threat actor. Crucially, the malicious link or software can appear as LNK, HTA, or WSF files, meaning there are slight variations to be aware of.

Like many spear phishing campaigns, the strategy is heavily disguised and well executed. OneNote documents containing these malicious links/files appear as buttons, giving users the impression that they should be clicked on as part of the document’s intended design. This means there is a social and technical element to the exploit. Unfortunately, though a message may appear to warn of the risk of opening the embedded link or file, unsuspecting users can still trigger the malware to be downloaded and executed.

How effective it is

Once the malware has been downloaded onto a user’s device, the software can then send data or even grant the threat actor full access to your IT environment. For example, according to the latest Digital Defence report from Microsoft, the median time it takes for attackers to access private data after a successful phishing email is just 1 hour 12 minutes.

From here, attackers can continue their malicious campaign by affecting other devices by using some of the same tactics. The same report found that the median time for attackers to begin moving laterally within your network is just 1 hour 42 minutes. So, you have less than two hours, all in, to prevent an even larger data breach from affecting your business.

The scale of the problem

Threat actors have turned to this OneNote vulnerability because Microsoft disabled macros in Word and Excel by default and patched a zero-day hole that was being used to send out malicious ISO and zip files.

Since then, successful exploits of the OneNote vulnerability have increased by 500% due to the lack of effective controls in organisations. Per the 2022 Microsoft Digital Defense Report, phishing methods like the OneNote vulnerability continue to be the preferred attack method for threat actors.

What’s more, our own data shows a steady increase in phishing emails over the last two years, with threat actors utilising everything from the pandemic, attractive business deals and the war in Ukraine to lure users. And so, it’s clear that amid a constantly evolving threat landscape, senior leaders must adopt a proactive stance to effectively protect their data.

How Microsoft is responding

Microsoft has taken a number of steps to develop solutions to protect its users, listed below:

  • Microsoft has issued a crucial patch called the Outlook Elevation of Privilege Vulnerability (CVE-2023-23397), which can also be seen on the EHLO blog under the “Awareness” section.
  • There are also a variety of security updates available, spanning Microsoft 365 apps for enterprise to Outlook 2013 SP1, which will prevent attackers from accessing a user’s Net-NTLMv2 hash and mounting an NTLM Relay attack.
  • In addition, Microsoft has provided a PowerShell script to determine files containing UNC paths. Administrators can review the output to decide which items must be removed from mailboxes.
  • Finally, administrators can use Microsoft 365/Microsoft Office group policy templates to deactivate embedded files and their corresponding blocked extensions.

How you can protect your business from the OneNote vulnerability

As a leading cybersecurity solutions provider, we recommend the following measures to safeguard your data and prevent OneNote files from being exploited:

  • Educate your employees:
    1. Don’t click on email links or download attachments from unknown or untrustworthy senders.
    2. Don’t ignore warning messages in programs such as Word, Excel, or OneNote. Warnings are annoying on purpose!
    3. Use phishing awareness training campaigns from external providers like Atech to evaluate employee habits and risk levels.
  • Use multi-factor authentication (MFA): Up to 99% of data breaches can be prevented if employees are protected by MFA.
  • Practise basic cybersecurity hygiene: Deploy a proactive cybersecurity strategy like SOC services (Security Operations Centre) that offer using round-the-clock monitoring systems and advanced endpoint protection.

How we’re responding to the OneNote vulnerability

Atech’s cyber defence centre has developed and activated a new rule to monitor this specific threat in Microsoft OneNote. This means when users click on malicious links or files contained within OneNote documents, our customers will be alerted before the malware is downloaded.
In addition, we want to ensure our clients are always in the know about the pressing cybersecurity issues, so we provide frequent updates and support on key trends, vulnerabilities, and any other pertinent updates – like this article!
As always, our team is always working in the background to stay at the forefront of cybersecurity. When we’re not finalists in the Microsoft Partner of the Year Awards for our security services, we’re studying hard for Advanced Specializations in key Microsoft technologies and iterating on our SOC service to ensure our clients are resilient against any cyberattack that comes their way.

Access world-leading enterprise protection with SOC services from Atech

As we’ve seen with this OneNote vulnerability, steps to prevent old attacks can spawn new ones. Research shows threat actors need less than two hours after a successful account breach to access the rest of your IT system. So, a proactive approach is now critical for organisations to survive and keep their data safe.

You can keep your data secure by installing the latest security patches, educating your employees, and partnering with a reliable solutions provider. Atech is a leading security partner with extensive experience in the security space. Our pure-play SOC services give you access to cutting-edge data protection tools and more visibility over the ongoing security posture of your business.

Learn more about how our SOC services can empower your business with a proactive security strategy fit for the future by getting in touch.

How can we help?

As Microsoft accredited cloud service providers we’ve got the tools and talent to put the incredible potential of cloud technology at the heart of your operation.

Fill in the form to speak to one of our cloud consultants about your cloud project. Let’s get the conversation started.


    First name
    Last name