Russia’s APT28 Targets Microsoft Outlook With ‘NotDoor’ Malware

Russia’s APT28 Targets Microsoft Outlook With ‘NotDoor’ Malware

Summary

Security researchers at Lab52 (S2 Grupo) have uncovered a new Outlook-focused backdoor called “NotDoor” attributed to APT28 (Fancy Bear). NotDoor is a VBA macro for Microsoft Outlook that watches for a specific trigger string in incoming emails; when triggered it can execute commands, upload files, and exfiltrate data while deleting the triggering message to avoid detection.

The threat chain leverages a signed Microsoft binary (OneDrive.exe) vulnerable to DLL sideloading to load a malicious SSPICLI.dll loader. That loader disables macro protections, runs Base64-encoded PowerShell commands (including DNS-based lookups via a service called DNSHook), and deploys the obfuscated VBA backdoor into Outlook.

Key Points

1. NotDoor is a VBA Outlook backdoor that monitors emails for attacker-specified trigger strings.
2. Delivery uses DLL sideloading of a malicious SSPICLI.dll via the signed OneDrive.exe binary.
3. The loader runs Base64-encoded PowerShell commands and uses DNSHook for command-and-control lookups.
4. NotDoor disables macro security prompts and hides activity by deleting the triggering email.
5. The backdoor supports data exfiltration, uploading files, and remote command execution via specially crafted emails/attachments.
6. Code is obfuscated (randomised function names) to hinder analysis and detection.
7. Researchers at Lab52 discovered the artefact and attributed it to APT28, highlighting the group’s continued evolution.

Content Summary

Lab52’s analysis describes how attackers weaponise a legitimate, signed Microsoft binary to sideload a malicious DLL which in turn relaxes Outlook macro restrictions and installs a VBA-based backdoor. The backdoor activates only when it finds configured trigger strings in received emails; after executing commands it removes the triggering message to reduce forensic traces. The campaign uses encoded PowerShell and DNS-based mechanisms (DNSHook/Webhook.site) observed in earlier APT28 operations.

Attribution to APT28 is reported by Lab52; details on initial detection and full attribution methods remain limited in the public write-up. Organisations should assume sophisticated persistence and covert exfiltration capabilities when defending against similar campaigns.

Context and Relevance

This finding matters because Outlook is ubiquitous in enterprises and using it as a covert channel dramatically widens attackers’ options for stealthy communication and data theft. The combo of signed-binary sideloading, disabling of macro prompts, obfuscation, and email-triggered actions demonstrates mature tradecraft designed to bypass common defences like naive macro-blocking and basic email filtering.

For security teams, this reinforces several trends: nation-state actors continue to innovate around trusted binaries and legitimate services; email clients remain high-value attack surfaces; and detection needs to focus on behavioural telemetry (unusual OneDrive/SSPICLI activity, atypical PowerShell invocations, DNS anomalies, and sudden Outlook macro modifications) rather than solely on indicators of compromise.

Why should I read this?

Short and blunt: if your organisation uses Outlook, you need to know how Fancy Bear is turning it into a sneaky command channel. This piece saves you the digging — it flags the delivery route (OneDrive DLL sideload), the trigger mechanism (email string), and the signs to hunt for (encoded PowerShell, DNSHook lookups, deleted trigger emails). Read it to know what to check this afternoon, not next quarter.

Author’s take

Punchy and clear: another reminder that trusted apps and signed binaries are now standard tools in advanced attackers’ kits. Treat binary sideloading and macro bypass techniques as high-risk indicators and prioritise telemetry that spots behaviour, not just file hashes.

Source

Source: https://www.darkreading.com/endpoint-security/apt28-outlook-notdoor-backdoor