Russian APT28 Deploys “NotDoor” Backdoor Through Microsoft Outlook

APT28, the Russian state-backed hacking group long linked to espionage campaigns against NATO countries, has been caught using a new trick inside Microsoft Outlook. Researchers at Lab52, the threat intelligence team at S2 Grupo, revealed a custom backdoor called NotDoor that runs through Outlook’s email client to steal data and give attackers remote control.

NotDoor operates inside Outlook itself as a Visual Basic for Applications (VBA) macro. It works by monitoring incoming emails for a special trigger phrase, such as “Daily Report,” which activates its hidden functions. Once triggered, the malware can send out stolen files, upload new ones onto the victim’s machine, and execute commands, all while blending in with the normal flow of email traffic.

Image via Lab52

The way NotDoor gets inside a system is equally concerning. According to Lab52, APT28 (aka Fancy Bear, Sofacy, STRONTIUM (Microsoft’s designation), Sednit and Pawn Storm) deploys it by abusing Microsoft’s signed OneDrive.exe file, which is vulnerable to a DLL sideloading technique.

The attackers load a malicious DLL called SSPICLI.dll, which disables Outlook’s macro security and installs the backdoor. From there, the malware uses encoded PowerShell commands to copy itself into Outlook’s macro project folder, verify successful infection with DNS queries to webhook.site, and establish persistence through Windows registry modifications.

Once in place, NotDoor is designed to be difficult to detect. The VBA project is obfuscated, with scrambled variable names and a string-encoding method that disguises its code as random Base64. Any files it steals are encrypted, sent out through Outlook, and then deleted from the victim’s machine. The malware even removes the trigger email that activates it, leaving few traces for defenders to spot.

Lab52’s report found that NotDoor supports four main commands. Attackers can execute system commands with or without returning output, exfiltrate files, or upload new payloads. Results are packaged into email responses that appear legitimate, using subjects such as “Re: 0” or “Re: .” Stolen files are disguised with common names like “report” or “invoice” and carry extensions such as .pdf, .docx, or .jpg, making them blend into the expected workplace data.

Jason Soroko, Senior Fellow at Sectigo, says the campaign demonstrates why security teams cannot rely on perimeter tools alone.

“APT28 is abusing Outlook as a covert channel through a VBA macro backdoor named NotDoor. Delivery uses DLL sideloading of a malicious SSPICLI.dll by the signed OneDrive.exe to disable macro protections and stage commands. The macro watches inbound mail for a trigger word and can exfiltrate data, upload files, and run commands. This blends with trusted binaries and normal mail flow and can slip past perimeter tools and basic detections,” Soroko said.

He recommends immediate defensive steps, including disabling Outlook VBA and blocking internet macros through Group Policy. He also advises enabling Microsoft Defender Attack Surface Reduction rules that prevent Office apps from launching child processes and using Windows Defender Application Control (WDAC) or AppLocker to restrict DLL loading.

On the monitoring side, teams should hunt for OneDrive spawning PowerShell with encoded commands and alert on unusual DNS lookups or outbound traffic to webhook.site.