Microsoft is improving OneNote’s security, choosing to automatically block the same list of dangerous file types that Outlook blocks.
OneNote would previously show users a warning dialog when they tried to open a potentially dangerous file but ultimately allow them to continue. The new behavior, which will begin rolling out in April 2023, is designed to offer the same level of protection as Microsoft’s other apps.
OneNote is making an important change to how it treats embedded files that have dangerous extensions. Previously, OneNote showed users a dialog warning them that opening attachments could harm their computer and data. But users could still open the embedded file with the dangerous extension by choosing OK in the dialog.
With this important change, OneNote blocks users from directly opening an embedded file with a dangerous extension and instead shows them the following dialog.
If the attachment comes from a known and trusted person, the user can still open the file by saving it to their local device and opening it there.
Here’s the list of attachments being blocked, courtesy of The Hacker News:
.ade, .adp, .app, .application, .appref-ms, .asp, .aspx, .asx, .bas, .bat, .bgi, .cab, .cer, .chm, .cmd, .cnt, .com, .cpl, .crt, .csh, .der, .diagcab, .exe, .fxp, .gadget, .grp, .hlp, .hpj, .hta, .htc, .inf, .ins, .iso, .isp, .its, .jar, .jnlp, .js, .jse, .ksh, .lnk, .mad, .maf, .mag, .mam, .maq, .mar, .mas, .mat, .mau, .mav, .maw, .mcf, .mda, .mdb, .mde, .mdt, .mdw, .mdz, .msc, .msh, .msh1, .msh2, .mshxml, .msh1xml, .msh2xml, .msi, .msp, .mst, .msu, .ops, .osd, .pcd, .pif, .pl, .plg, .prf, .prg, .printerexport, .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .psd1, .psdm1, .pst, .py, .pyc, .pyo, .pyw, .pyz, .pyzw, .reg, .scf, .scr, .sct, .shb, .shs, .theme, .tmp, .url, .vb, .vbe, .vbp, .vbs, .vhd, .vhdx, .vsmacros, .vsw, .webpnp, .website, .ws, .wsc, .wsf, .wsh, .xbap, .xll, and .xnk