Be careful of email attachments ending in .one and .html
IT specialists have recognized the danger posed by Office files and secured IT networks against the executability of unsigned macro elements. Cybercriminals are evading and increasingly using other prepared file types that they attempt to introduce into potential victims' computer systems using emails or download links.
Mimikama information: Around two weeks ago, IT security experts from the cybersecurity company discovered new ransomware activity. The malware is spreading so quickly because it responds to existing emails and adds a .zip file as an attachment. The emails are about finances and bills.
How do the attackers proceed?
The senders use so-called OneNote files. These files usually have the extension .one and may contain maliciously programmed components. The manipulation of the files is not visible to recipients. If the user executes the manipulated One file, an included script (program) is initialized, which leads to the unnoticed download of malware.
Other cybercriminals send malicious file attachments in .htm or .html format. Activating the files may lead to the execution of included malicious scripts such as JavaScript.
Also read: The dangerous Emotet malware is back: new attack route via malicious OneNote files
particularities
The senders often fake the identity and email address of known email contacts. The text of the email contains plausible content and is intended to entice the recipient of the email to activate the attached file attachment or download links.
Police recommendations
- Have your institution's IT specialists immediately set up technical countermeasures. These measures should be permanently implemented in everyday life and also apply to other critical file types.
- Block email attachments and downloads that contain OneNote files (.one, .onetoc2, onepkg) and their executability.
- If you use regular OneNote files: Set up technical group policies to block unsigned scripts contained in OneNote files.
- For Microsoft systems, be sure to use protection features such as WDAC, SRP, and AppLocker.
- Block users from downloading executable and other critical files from the Internet and activating these file types (particularly .js, .hta, and .dll). Also include the user profiles of the users. Only files that have been checked and approved by IT specialists should be executable (whitelist).
- Be sure to disable or restrict the use of PowerShell.
- Disable or restrict Windows Script Host and MSHTA.
- Check the possibility of disabling scripts such as JavaScript in all browsers used by your institution. Uninstall or disable outdated browsers such as Internet Explorer.
- The manufacturer Microsoft has announced updates to reduce the risk. As with all available updates, install security updates as soon as they are released.
- It is recommended that you temporarily redirect all emails and downloads that contain OneNote files to secure areas. IT specialists should carefully examine these files before forwarding them to users.
- Regardless of the current problem, deactivating active content in emails makes sense.
The central cybercrime contact point for companies and authorities at the Baden-Württemberg State Criminal Police Office has published police recommendations for action against encryption attacks and uses the document to explain further recommended protective measures to ward off cyber attacks:
Information
Central cybercrime contact point
at the Baden-Württemberg State Criminal Police Office
The ZAC serves as the central contact for business and authorities in all matters relating to cybercrime.
How to reach the ZAC:
Telephone: +49 (0)711 5401 2444
Email: cybercrime@polizei.bwl.de
Website: www.lka-bw.de/zac
Sources:
Baden-Württemberg State Criminal Police Office
Confense
If you enjoyed this post and value the importance of well-founded information, become part of the exclusive Mimikama Club! Support our work and help us promote awareness and combat misinformation. As a club member you receive:
📬 Special Weekly Newsletter: Get exclusive content straight to your inbox.
🎥 Exclusive video* “Fact Checker Basic Course”: Learn from Andre Wolf how to recognize and combat misinformation.
📅 Early access to in-depth articles and fact checks: always be one step ahead.
📄 Bonus articles, just for you: Discover content you won't find anywhere else.
📝 Participation in webinars and workshops : Join us live or watch the recordings.
✔️ Quality exchange: Discuss safely in our comment function without trolls and bots.
Join us and become part of a community that stands for truth and clarity. Together we can make the world a little better!
* In this special course, Andre Wolf will teach you how to recognize and effectively combat misinformation. After completing the video, you have the opportunity to join our research team and actively participate in the education - an opportunity that is exclusively reserved for our club members!
Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )

