top of page
  • Writer's pictureJacob Alcock

New Microsoft Office Threat: OneNote Documents filled with Malware

Look out for potential threats when using Microsoft Office; cyber attackers have been using Microsoft OneNote documents to download malware onto computer systems.

What is the threat to Microsoft Office users?

Attackers use Microsoft OneNote documents (part of Microsoft Office) to launch malware attacks. OneNote is a digital notebook that is included in the Microsoft 365 subscription.

Attackers can attach files to OneNote documents, which can then be used to download malware from remote locations. All the attackers need to do is convince the victim to double-click on the file, which has proven to be a simpler task than expected.

This type of cyber attack hides malware behind the 'click to view document' buttons in emails. This is a clever way to trick victims into thinking that the file is sensitive and requires additional protection, causing them to fall for the attack.

Even if you don’t use OneNote, you could still be at risk of one of these attacks. Attackers assume that businesses will likely have OneNote installed because it’s normally bundled with the rest of the Office applications. These new types of attacks have very low detection rates from antivirus software, and so are proving to be a serious threat.

Microsoft is aware of the malicious uses of OneNote and has publicly stated that changes to OneNote are coming to increase protection against these attacks, which would likely be available before the end of April this year.

What are office macros? Why can they be used in cyber attacks?

A macro is a small set of instructions implemented to automate frequently used tasks for Microsoft office applications. They are written in a programming language called Visual Basic for Applications and are saved as part of the Office file they are associated with.

Macros can be used for many legitimate purposes, but in the wrong hands, they can also be used as a part of a cyber-attack. When they are used with malicious intentions, the attacker can exploit the target in several ways, from running ransomware to stealing data. The nature of macros embedded in Office files makes it difficult for traditional anti-virus software to notice them.

These attacks are not new and have been around since the 1990s. Microsoft has taken defensive actions to fix this vulnerability by disabling macros by default. This has made it more difficult for attackers, forcing them to persuade victims somehow to enable macros. These changes have led attackers to look for exploits in other Office applications.

Phishing email attacks

Infected Office files must be delivered to a victim, often as an email attachment. The files are normally named specifically to persuade you to download and open the file. Email filters are not picking up on these types of attacks because OneNote files are commonly used for genuine business purposes.

How can I prevent these attacks from affecting my business?

Due to the high amount of legitimate business usage of Microsoft OneNote, there are limited ways you can fully prevent these new attacks. One mitigation route is to block the OneNote file extension, ‘.one’ from your mail server. This will block/quarantine any email containing an attachment with this file extension; however, this could cause productivity issues as many legitimate emails would also be blocked.

  • Be wary of any attachments in emails from senders you don’t recognise

  • Don't click an email if it uses pressing language and the attachment looks suspicious

  • Make sure your Anti-Virus and Firewalls are updated

  • Think you’ve received a spam email? Report it:

Until Microsoft has implemented changes to protect users, the best way to protect yourself from these attacks is by educating your staff with Security Awareness Training. We offer this service to businesses to help increase their staff's resilience to cyber-attacks.

Security Awareness Training banner

Have you got any other questions? Contact us today.

How can we support your business?

Phishing 292 x 219px.png

Raise your staff's awareness of phishing emails and guard your business against the growing trend of social-engineering threats.


Training your employees on what a phishing attack looks like makes them more likely to identify and report scams.

security awareness training.png

Our training package is designed and delivered by cyber experts giving you access to the most up-to-date information in an ever-changing cyber landscape.

You can purchase single-place training spots or a cyber security workshop.

Community Members

Our premium membership package is aimed at medium-sized businesses and includes bespoke security awareness training sessions.


This allows your business to train several cyber security champions and an assessment of your cyber risk. 

bottom of page