1/This simple powershell command blocks ongoing OneNote attacks! (Microsoft Defender) Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled 🧵 #CyberSecurity #phishing #OneNote #malware #ASR

2/Block all Office applications from creating child processes Defender attack surface reduction is not only bad (like deleting LNKs 😜) It really can safe a company from being ransomwared! Can be deployed via GPO/InTune pretty easy.

3/This rule not only prevents from OneNote attacks, it also prevents you from a bunch of other attacks too (e.g. Follina )! Make sure to get notified about all blocked events by this ASR rule Microsoft-Windows-Windows Defender/Operational, EventID: 1121 #ThreatHunting

4/There is another ASR rule which would also block OneNote attacks partially Block Office applications from creating executable content Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enable #ASR

5/You can also set them to only "Audit Mode" change "Enable" to "AuditMode" in the above commands. This still creates the eventlogs to hunt for but will not break/block anything! Hunt for: Microsoft-Windows-Windows Defender/Operational, EventID: 1122 #ThreatHunting