Since the disabling of Office macros by Microsoft, a variety of new techniques have arisen to gain remote code execution on a host, with OneNote attachments becoming one of the more prominent techniques seen. As it is rather uncommon for OneNote files to be sent through email, many researchers recommend blocking these extensions altogether. However, for organizations where that is not possible, other options are available. One potential monitoring solution would be to monitor all OneNote files that are sent through email. As this is a rather large undertaking for some organizations, another solution would be to monitor for suspicious process chains where Outlook or a browser is seen spawning OneNote, which is then seen launching an attachment. Finally, an organization could also monitor all OneNote attachment executions in the environment, tuning out those that are not malicious or are commonly seen.
https://www.bleepingcomputer.com/news/security/new-qaknote-attacks-push-qbot-malware-via-microsoft-onenote-files/
