A newly discovered Outlook backdoor is being used by Russian hackers to quietly exfiltrate data and run commands in high-profile cyber-espionage attacks.
What happened
APT28, a Russian state-sponsored threat actor, has been linked to a new Microsoft Outlook-based malware called NotDoor. The malware has been deployed in attacks against multiple companies across NATO countries, according to The Hacker News. The group used NotDoor to monitor email inboxes for trigger words, execute commands, and exfiltrate sensitive data.
Going deeper
NotDoor is a stealthy Visual Basic for Applications (VBA) macro embedded in Microsoft Outlook. Once active, it continuously monitors incoming emails for specific keywords, such as “Daily Report”, and executes commands embedded in those messages. The malware exfiltrates data by sending it to a Proton Mail account, using a temporary folder for staging.
To install the malware, attackers used a technique called DLL side-loading, exploiting Microsoft’s OneDrive executable (onedrive.exe) to load a malicious DLL (SSPICLI.dll). The DLL disables macro protections and installs the NotDoor VBA script.
The malware runs Base64-encoded PowerShell commands to set up persistence, beacon to attacker-controlled servers, and suppress Outlook warning dialogs. It supports four commands:
- cmd: Executes a command and sends back the output via email
- cmdno: Executes a command without sending back output
- dwn: Exfiltrates files as email attachments
- upl: Uploads files to the victim's machine
Files are encrypted using a custom method before being sent, and then deleted from the local system.
What was said
Researchers from S2 Grupo described NotDoor as an example of abusing business applications for covert operations. Kroll also reported observing NotDoor in a recent espionage campaign against an unnamed target, tracking it under the name GONEPOSTAL (KTA007 cluster). Analysts noted that the operation demonstrates "living-off-the-land" tactics using legitimate applications like Outlook and OneDrive to carry out stealthy intrusions.
The malware’s use of Microsoft Dev Tunnels and fake Cloudflare Workers domains adds further layers of obfuscation, helping the attackers rotate infrastructure rapidly and avoid IP-based tracebacks.
FAQs
What is DLL side-loading, and why is it used here?
DLL side-loading is a technique where attackers trick legitimate applications into loading malicious DLL files. In this case, the attackers used Microsoft’s onedrive.exe to load SSPICLI.dll and install the NotDoor malware without triggering security alerts.
Why use Microsoft Outlook as a backdoor instead of a traditional RAT?
Outlook is a trusted enterprise tool with frequent inbound and outbound communication. Using it allows attackers to blend into normal traffic, avoid detection, and receive commands or exfiltrate data without relying on external executables.
What is “living-off-the-land” in cybersecurity?
This refers to using legitimate tools already available in the environment, like PowerShell, registry changes, or Outlook macros, to conduct attacks. It minimizes the footprint of malware and makes it harder to detect through conventional methods.
What role do Microsoft Dev Tunnels play in this campaign?
Dev Tunnels allow temporary public exposure of local servers for development purposes. Attackers used them to mask command-and-control (C2) servers, using Microsoft’s infrastructure to bypass IP-based security measures and rotate domains frequently.
What can organizations do to mitigate risks from Outlook-based malware?
Organizations should enforce strict macro policies, monitor PowerShell and registry activity, restrict use of legacy VBA scripting, and regularly audit email rules and behavior for anomalies, especially in high-risk sectors or geopolitical contexts.
Farah Amod
