Add OneNote Fileextensions to the Exchange Online Malware Filter
Hi All,
I've heard from OneNote Phishing in the last few Months. That seems to be a new way of Attack.
Sadly i don't know the exact details of that Attack.
What came to my mind was to block OneNote Attachments in the Malware Filter.
Microsoft: Besserer Schutz vor riskantem OneNote-Phishing geplant
Also Microsoft want's to improve here according to the M 365 Roadmap
![](https://icewolffile.blob.core.windows.net/$web/202303/EXO_OneNote_01.jpg)
I've checked the OneNote file Extensions on my Computer
![](https://icewolffile.blob.core.windows.net/$web/202303/EXO_OneNote_02.jpg)
Microsoft OneNote File Extensions according to thefile.org
![](https://icewolffile.blob.core.windows.net/$web/202303/EXO_OneNote_03.jpg)
Let's go to work. List the Malware Filter Policys in Exchange Online
Connect-ExchangeOnline
Get-MalwareFilterPolicy | ft Name
![](https://icewolffile.blob.core.windows.net/$web/202303/EXO_OneNote_04.jpg)
Look at the Details. As you can see the Extensions are in the FileTypes Attribute (without dot before the Extension).
Get-MalwareFilterPolicy -Identity ICEWOLFMalwarefilterPolicy-01
![](https://icewolffile.blob.core.windows.net/$web/202303/EXO_OneNote_05.jpg)
Let's add the OneNote File Extensions
$FileTypes = (Get-MalwareFilterPolicy -Identity ICEWOLFMalwarefilterPolicy-01).FileTypes
$FileTypes.Count
$FileTypes.Add("one")
$FileTypes.Add("onepkg")
$FileTypes.Add("onetoc")
$FileTypes.Add("pwi")
$FileTypes.Add("sig")
$FileTypes.Add("onechache")
$FileTypes.Add("onetmp")
$FileTypes.Add("onetoc")
Set-MalwareFilterPolicy -Identity ICEWOLFMalwarefilterPolicy-01 -FileTypes $FileTypes
$FileTypes.Count
$FileTypes.Add("one")
$FileTypes.Add("onepkg")
$FileTypes.Add("onetoc")
$FileTypes.Add("pwi")
$FileTypes.Add("sig")
$FileTypes.Add("onechache")
$FileTypes.Add("onetmp")
$FileTypes.Add("onetoc")
Set-MalwareFilterPolicy -Identity ICEWOLFMalwarefilterPolicy-01 -FileTypes $FileTypes
![](https://icewolffile.blob.core.windows.net/$web/202303/EXO_OneNote_06.jpg)
As you can see the Filetypes are now in the Policy
![](https://icewolffile.blob.core.windows.net/$web/202303/EXO_OneNote_07.jpg)
Regards
Andres Bohren
![](https://icewolffile.blob.core.windows.net/$web/logos/Exchange_logo.png)