Recent reports indicate that threat actors/hackers are using Microsoft OneNote to attack organisations when the file is sent as an attachment. Microsoft OneNote attachments use the '.one' file extension - threat actors create templates that appear to be a protected document with a message to 'double-click' a design element to view the file.
Details about how the hackers exploit OneNote are here:
https://cybersecuritynews.com/onenote-malware/
Further information about how to prevent a cyber attack when using OneNote files in your organisation is here:
Emotet is a highly advanced malware strain that has been crafted to exfiltrate sensitive information and user credentials from infected systems. Emotet infections usually rely on emails that contain fake invoices, payment reports, shipping data, job opportunities, or any other document that might be significant for the recipient.
These emails include Word or Excel files that harbour macros, which must be enabled by the user before they can access the document's contents.
Emotet operators employ an array of tactics to trick users into enabling these macros, including document templates that pretend to be created on various platforms.
Consider a best practice of sending links to files on an intranet rather than files as attachments, as this is also then keeping content 'in house' and there is 'one version of the truth'. These types of links can also be revoked quickly and easily at any time. There is less risk that the document may linger somewhere with someone still thinking it is current. It also reduces your mailbox size and reduces mail traffic.
Details on how to share OneNote links are here:
Training staff is paramount in preventing a cyber attack. The NCSC provide free cyber training for schools: https://www.ncsc.gov.uk/information/cyber-security-training-schools
Further information can be found in our Information/Cyber Security Best Practice Area:
https://dataprotection.education/index.php/best-practice-library/best-practice/information-security
What to do in the event of a cyber attack:
Tell someone! Report to IT. Report to SLT.
Unplug the computer from the internet by removing the ethernet cable or turning the Wi-Fi off.
If you are a victim of a ransomware attack we would recommend reporting this to Action Fraud: https://www.actionfraud.police.uk/ as well as your data protection officer so they can advise about the data loss. Most cyber crimes like these will also need to be reported to the ICO by your data protection officer.
Isolate the infected device and pass to IT
Always ensure there are backups you can restore from.