Cybersecurity researchers have unveiled comprehensive detection methodologies for NotDoor, a sophisticated backdoor malware that leverages Microsoft Outlook macros for covert command and control operations.
The malware, attributed to the Russian state-sponsored threat group APT28 (Fancy Bear), represents an evolution in email-based persistence techniques that can evade traditional security controls.
NotDoor was first identified by Lab52, the threat intelligence division of Spanish cybersecurity firm S2 Grupo, during investigations into recent APT28 campaigns.
The backdoor operates by embedding malicious VBA macros within Outlook that monitor incoming emails for specific triggers.
When a trigger email arrives, the macro executes embedded code paths, enabling attackers to exfiltrate sensitive data, upload additional files, and execute arbitrary commands on compromised systems all while using Outlook as an inconspicuous command and control channel.
The Splunk Threat Research Team has conducted an in-depth technical analysis of NotDoor’s operational mechanics, providing organizations with actionable detection strategies to identify and mitigate this threat.
Attack Chain and Persistence Mechanisms
The NotDoor deployment begins after initial system compromise through undisclosed means. Attackers stage four critical components in the C:\ProgramData directory: a legitimate OneDrive.exe executable, a malicious SSPICLI.dll, a renamed copy of the original sspicli.dll (tmp7E9C.dll), and testtemp.ini containing the VBA macro backdoor.
The attack exploits DLL sideloading, a technique where the legitimate OneDrive executable loads the malicious SSPICLI.dll instead of the authentic system library.
This DLL then executes base64-encoded PowerShell commands that perform network connectivity checks and critically, copy the testtemp.ini file to %APPDATA%\Microsoft\Outlook\VbaProject.OTM the file location where Outlook stores all VBA macros.
Procmon that the file is created in the users Roaming directory with a very specific name (VBAProject.OTM).
To ensure uninterrupted operation, NotDoor modifies several critical Outlook registry keys. The malware sets LoadMacroProviderOnBoot to enable automatic macro loading at startup, changes the Outlook Security Level value to “1” to allow all macros without notification, and manipulates the PONT_STRING registry key to suppress content download warnings that would otherwise alert users to suspicious activity.
The Splunk Threat Research Team has developed a comprehensive analytic story with multiple detection rules targeting NotDoor’s distinctive behaviors.
Key detection opportunities include monitoring for encoded PowerShell commands spawned by OneDrive.exe, tracking registry modifications to Outlook security settings by non-Outlook processes, and identifying creation of VbaProject.OTM files by processes other than Outlook.exe.
The detection analytics leverage Splunk Endpoint datamodel to identify malicious PowerShell execution patterns using regex matching for encoded commands, registry monitoring for the three critical Outlook security keys, and file system monitoring for suspicious creation of the VbaProject.OTM file in user AppData directories.
Implications for Enterprise Security
NotDoor represents a concerning evolution in email-based persistence techniques because it abuses legitimate functionality within a trusted application.
Unlike traditional malware that requires separate command and control infrastructure, NotDoor operates entirely through normal email channels, making network-based detection significantly more challenging.
Security teams should prioritize monitoring for unusual modifications to Outlook macro security settings, particularly when performed by processes other than Outlook itself the presence of VbaProject.OTM files created by external processes should trigger immediate investigation, as this behavior strongly indicates compromise.
Organizations using Splunk can immediately deploy the NotDoor analytic story to enhance their detection capabilities.
Even organizations without Splunk can adapt these detection principles to their security platforms by focusing on the core indicators: suspicious PowerShell execution, Outlook registry tampering, and anomalous macro file creation.
The research underscores the importance of layered security controls and proactive threat hunting. As sophisticated threat actors like APT28 continue to develop creative persistence mechanisms that abuse trusted applications, security teams must evolve their detection strategies to identify behavioral anomalies rather than relying solely on signature-based approaches.
IOCs
| Filename | FileHash |
|---|---|
| SSPICLI.dll | 5a88a15a1d764e635462f78a0cd958b17e6d22c716740febc114a408eef66705 |
| testtemp.ini | 8f4bca3c62268fff0458322d111a511e0bcfba255d5ab78c45973bd293379901 |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.