S2 Grupo’s intelligence team discovered a new Outlook backdoor linked to a Russian-linked persistent threat group known as APT28. The researchers explained how the threat actors are leveraging a legitimate signed binary to deploy the backdoor, then loading a malicious file to disable macro security defenses. Once this is done, the VBA macro is delivered into targeted networks. 

“APT28 is abusing Outlook as a covert channel through a VBA macro backdoor named NotDoor,” Jason Soroko, Senior Fellow at Sectigo, explains. “Delivery uses DLL sideloading of a malicious SSPICLI.dll by the signed OneDrive.exe to disable macro protections and stage commands. The macro watches inbound mail for a trigger word and can exfiltrate data upload files and run commands. This blends with trusted binaries and normal mail flow and can slip past perimeter tools and basic detections.” 

The research demonstrates how APT28 consistently develops new new artefacts that can bypass established defenses. Casey Ellis, Founder at Bugcrowd, comments, “This is a significant development, and it highlights a few key points that organizations and security teams need to address immediately. The use of Microsoft Outlook as a vector is particularly concerning because of its ubiquity in business environments. APT28 leveraging Outlook macros as a covert communication and data exfiltration channel underscores the importance of hardening email systems and endpoint defenses. This isn’t just about patching vulnerabilities, it’s about recognizing that trusted applications like Outlook can be weaponized in ways that bypass traditional defenses.”

Ellis elaborates, “The deployment method — DLL sideloading via a legitimate signed binary like OneDrive.exe — is a classic example of attackers exploiting trust in legitimate software. This reinforces the need for robust application whitelisting and monitoring for anomalous behavior in signed binaries. Security teams should also focus on detecting and blocking PowerShell misuse, as encoded Base64 commands are a common tactic for obfuscation and execution.”

To protect against this threat, the researchers provided potential indicators of compromise (IOC) that organizations can watch out for. 

Additionally, Soroko suggests, “Security teams should disable Outlook VBA at enforce block macros from the internet with Group Policy. Enable Microsoft Defender Attack Surface Reduction rules that stop Office from creating child processes and block Win32 API calls from macros. Lock down DLL loading with WDAC or AppLocker, monitor for OneDrive loading SSPICLI.dll outside trusted paths, hunt for Outlook or OneDrive spawning PowerShell with encoded commands, and restrict egress while alerting on traffic to webhook.site and unusual nslookup activity.”

Ellis adds, “For organizations, the immediate takeaway is to ensure that macro execution is disabled wherever possible, especially in email clients like Outlook. While Microsoft has made strides in hardening macros by default, this attack demonstrates that those defenses can still be bypassed. Endpoint Detection and Response (EDR) solutions should be configured to flag suspicious macro activity and DLL sideloading attempts.

“The use of DNSHook and Webhook.site for command-and-control (C2) traffic is a reminder to monitor DNS queries and outbound traffic for unusual patterns. Threat intelligence feeds and IOCs from this campaign should be integrated into detection systems as soon as they’re available.

“This attack is a stark reminder of the evolving sophistication of state-sponsored threat actors like APT28. Organizations need to adopt a layered defense strategy, combining proactive hardening, real-time monitoring, and rapid incident response capabilities to mitigate these threats effectively.”