New GONEPOSTAL Malware Hijacking Outlook to Enable Command and Control Communication

In recent weeks, security teams have observed a sophisticated new strain of malware—dubbed GONEPOSTAL—that subverts Microsoft Outlook to relay command and control (C2) instructions.

Emerging through spear-phishing campaigns targeting corporate environments, GONEPOSTAL disguises itself as a benign Office document.

Upon opening the weaponized attachment, victims unknowingly activate a multi-stage payload that interfaces directly with Outlook’s COM APIs to send and receive encrypted email messages containing C2 data.

Early indicators suggest the threat actor behind GONEPOSTAL aims to maintain stealth by hiding network traffic within legitimate email flows, undermining traditional perimeter-based defenses.

Kroll analysts noted that the initial compromise vectors rely on social engineering tactics that exploit common workplace behaviors.

The malicious document leverages a heavily obfuscated VBA macro to drop a lightweight launcher executable into the user’s temporary folder.

Once invoked, the launcher dynamically loads additional modules from a remote server, blending in with routine Outlook operations.

These secondary modules parse the victim’s address book to identify likely internal targets for lateral movement, then craft outbound emails with base64-encoded control instructions embedded in image attachments.

Kroll researchers identified that this tactic effectively bypasses most email gateway appliances, as the attachments appear as innocuous company logos or promotional flyers.

In its third phase, GONEPOSTAL establishes persistence by creating a registry entry under HKCUSoftwareMicrosoftWindowsCurrentVersionRun, referencing a benign-looking Word document named “Company_Update.docx.”

This document contains a hidden OLE object that, when opened by the victim via Outlook preview, re-executes the payload without raising any security prompts.

Further, the malware writes a DLL into the AppDataRoamingMicrosoftOutlook directory and registers it with Outlook’s add-ins framework, ensuring that every instance of Outlook automatically loads the malicious component on startup.

Victims typically remain unaware of the residence of the threat, as the add-in manifests under the name “OfficeUpdate.”

The impact of GONEPOSTAL has been significant. Multiple mid-sized enterprises in North America have reported unexplained outbound email traffic spikes, matched by credential theft and unauthorized file transfers.

Security teams investigating anomalous SMTP sessions uncovered encrypted JSON blobs masquerading as inline images, which—after decryption—revealed system reconnaissance data and remote shell commands.

This dynamic C2 channel enables the adversaries to query registry keys, manipulate files, and pivot to domain controllers, all while evading standard detection signatures.

Infection Mechanism

A closer examination of GONEPOSTAL’s infection mechanism reveals the campaign’s reliance on a cleverly crafted VBA macro embedded within a booby-trapped document.

The macro code, heavily obfuscated to conceal its true purpose, begins by declaring Outlook COM object references:-

Dim OutlookApp As Object
Set OutlookApp = CreateObject("Outlook.Application")
Dim MailItem As Object
Set MailItem = OutlookApp.CreateItem(0)
MailItem.To = recipientAddress
MailItem.Subject = "Monthly Report"
MailItem.Attachments.Add payloadPath
MailItem.Send

Once executed, this snippet not only dispatches the initial payload but also schedules follow-up tasks via the Windows Task Scheduler, ensuring that Outlook remains the primary conduit for ongoing command orchestration.

By leveraging native Windows and Office components, GONEPOSTAL sidesteps external dependencies, making it especially challenging to pinpoint through conventional network monitoring tools.

The infection chain culminates with the installation of a stealthy Outlook add-in, allowing the attacker to harvest sent and received emails, covertly modify message content, and issue new C2 commands without user awareness.

This modular design demonstrates a high degree of operational maturity, indicating that the threat actor is well-versed in blending malicious activity into everyday user workflows.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.