NotDoor: Outlook-Targeting Espionage Tool Linked to APT28
Cybersecurity researchers at LAB52 (part of S2 Grupo) have identified NotDoor, a newly observed espionage toolkit that weaponizes Microsoft Outlook. The analysis ties the malware to APT28 (also known as Fancy Bear), a threat actor with a long history of state-aligned intrusions. NotDoor is notable for turning Outlook’s automation features into a covert remote-access and data-exfiltration channel, and the campaign has focused on targets across NATO countries.
How the Attack Operates (High Level)
NotDoor is implemented as a malicious macro using Microsoft Office’s scripting capabilities. The macro remains dormant until specific email conditions are met, at which point it activates and grants the attacker remote control over the compromised host. The implant leverages Outlook’s event-driven automation to trigger payloads and to remove evidence of the triggering messages, making initial detection and forensic tracing more difficult.
Key Evasion and Persistence Techniques
- Obfuscated scripting: The VBA code is intentionally scrambled to hinder analysis and evade signature-based detection.
- Hijacking trusted processes: The malware abuses legitimate executables to load malicious libraries, helping it appear as a normal system process.
- Registry and setting changes: It adjusts Outlook and system settings to suppress macro warnings and dialog prompts so the payload runs silently.
- Cleanup and stealth: Trigger emails are deleted and temporary artifacts are removed after exfiltration to reduce forensic traces.
Capabilities Observed
When active, NotDoor can collect files, upload stolen data, execute commands, and send harvested content to attacker-controlled infrastructure. The tool also performs network callbacks to confirm successful operations and to receive further instructions.
Attribution
LAB52 attributes the activity to APT28, a prolific group previously linked to high-profile intrusions. The discovery reinforces concerns that well-resourced state-aligned actors continue to refine techniques that exploit everyday enterprise tools like Outlook.
Mitigation & Immediate Actions
Security teams should prioritise the following defensive measures to reduce the risk from NotDoor-like threats:
- Disable Office macros by default and restrict macro execution via group policy.
- Monitor Outlook for unusual configuration changes and registry edits.
- Block or restrict loading of unexpected DLLs by trusted executables and enable application control where possible.
- Keep Microsoft Office and Windows fully patched and up to date.
- Train staff to recognise suspicious emails and to report unexpected attachments or requests.
- Harden email gateways and apply advanced threat detection to scan attachments and macros.
Why This Matters
NotDoor highlights how commonly used productivity tools can be repurposed into potent espionage platforms. Because the malware abuses legitimate features and clears traces, organisations must combine technical controls with vigilant monitoring and user awareness to effectively reduce exposure.
FAQ
Is NotDoor active in the wild?
Yes. LAB52 reported active targeting of organisations across NATO countries, and defenders should treat the campaign as a live threat.
Does this require special exploits to work?
No zero-day is required. NotDoor relies on malicious Office macros and Outlook automation. Preventing macro execution and using email protections can greatly reduce risk.
Can endpoint detection stop this malware?
Modern endpoint protections can detect many indicators of compromise, but NotDoor’s obfuscation and use of trusted processes increase the challenge. Layered controls and monitoring are critical.
