Add OneNote Fileextensions to the Exchange Online Malware Filter
Hi All,
I've heard from OneNote Phishing in the last few Months. That seems to be a new way of Attack.
Sadly i don't know the exact details of that Attack.
What came to my mind was to block OneNote Attachments in the Malware Filter.
Microsoft: Besserer Schutz vor riskantem OneNote-Phishing geplant
Also Microsoft want's to improve here according to the M 365 Roadmap
I've checked the OneNote file Extensions on my Computer
Microsoft OneNote File Extensions according to thefile.org
Let's go to work. List the Malware Filter Policys in Exchange Online
Connect-ExchangeOnline
Get-MalwareFilterPolicy | ft Name
Look at the Details. As you can see the Extensions are in the FileTypes Attribute (without dot before the Extension).
Get-MalwareFilterPolicy -Identity ICEWOLFMalwarefilterPolicy-01
Let's add the OneNote File Extensions
$FileTypes = (Get-MalwareFilterPolicy -Identity ICEWOLFMalwarefilterPolicy-01).FileTypes
$FileTypes.Count
$FileTypes.Add("one")
$FileTypes.Add("onepkg")
$FileTypes.Add("onetoc")
$FileTypes.Add("pwi")
$FileTypes.Add("sig")
$FileTypes.Add("onechache")
$FileTypes.Add("onetmp")
$FileTypes.Add("onetoc")
Set-MalwareFilterPolicy -Identity ICEWOLFMalwarefilterPolicy-01 -FileTypes $FileTypes
$FileTypes.Count
$FileTypes.Add("one")
$FileTypes.Add("onepkg")
$FileTypes.Add("onetoc")
$FileTypes.Add("pwi")
$FileTypes.Add("sig")
$FileTypes.Add("onechache")
$FileTypes.Add("onetmp")
$FileTypes.Add("onetoc")
Set-MalwareFilterPolicy -Identity ICEWOLFMalwarefilterPolicy-01 -FileTypes $FileTypes
As you can see the Filetypes are now in the Policy
Regards
Andres Bohren
