The analyzed threat, NotDoor, is a sophisticated backdoor malware that exploits Microsoft Outlook macros to maintain persistence and facilitate lateral movement within targeted networks. It stages its payloads in the C:\ProgramData directory, a common location for persistent malware, and employs DLL sideloading by abusing OneDrive.exe, a legitimate Windows process, to load malicious DLLs stealthily. This technique helps evade traditional detection mechanisms by masquerading malicious code as part of trusted software. NotDoor executes encoded PowerShell commands to perform various malicious actions, including creating directories and modifying system configurations. It alters registry entries to enable macros automatically and suppress security dialogs that would normally alert users to suspicious macro activity, thereby increasing the likelihood of successful execution. The malware leverages Outlook's native functions to communicate with its command-and-control infrastructure, enabling it to receive instructions and exfiltrate data via email monitoring. Detection recommendations focus on identifying unusual PowerShell command executions, monitoring registry modifications related to macro settings, and detecting the creation of VbaProject.OTM files by processes other than Outlook, which is indicative of malicious macro activity. Splunk-based detection rules have been proposed to automate the identification of these indicators. NotDoor is attributed to the APT28 threat actor, known for targeting government and critical infrastructure sectors, indicating a high level of sophistication and targeted intent. Although no CVSS score is assigned, the threat is rated medium severity due to its persistence mechanisms and stealthy lateral movement capabilities.

For European organizations, NotDoor poses significant risks, particularly to entities relying heavily on Microsoft Outlook and OneDrive, which are widely used across Europe. The malware’s ability to persist via macros and DLL sideloading allows it to maintain long-term access, potentially leading to data exfiltration, espionage, and disruption of operations. The use of encoded PowerShell commands and registry modifications complicates detection, increasing the risk of prolonged undetected presence. Critical sectors such as government agencies, defense contractors, energy providers, and financial institutions are especially vulnerable due to their strategic importance and frequent targeting by APT28. The lateral movement capabilities facilitate the spread within networks, potentially compromising multiple systems and sensitive data. Additionally, disabling security dialogs and enabling macros by default undermines endpoint security controls, increasing the attack surface. The threat could lead to confidentiality breaches, integrity violations, and availability impacts if critical systems are manipulated or disrupted.

European organizations should implement targeted defenses beyond generic advice: 1) Enforce strict Group Policy settings to disable macros by default and only allow digitally signed macros from trusted sources. 2) Monitor and alert on registry changes related to macro settings and security dialog suppression, especially those performed by non-administrative users or unusual processes. 3) Deploy application whitelisting to prevent unauthorized execution of PowerShell scripts and DLL sideloading, particularly monitoring OneDrive.exe and related processes for anomalous DLL loads. 4) Utilize endpoint detection and response (EDR) tools to identify the creation of VbaProject.OTM files by non-Outlook processes and suspicious PowerShell command execution patterns. 5) Implement network monitoring to detect unusual Outlook-based C2 communications and email monitoring activities. 6) Regularly update and patch Microsoft Office and Windows components to reduce exploitation opportunities. 7) Conduct user awareness training focused on the risks of enabling macros and recognizing phishing attempts that may deliver such payloads. 8) Leverage the provided Splunk detection rules or equivalent SIEM capabilities to automate detection of NotDoor indicators. 9) Restrict permissions on C:\ProgramData to limit unauthorized file staging. 10) Employ threat intelligence sharing within European cybersecurity communities to stay informed about emerging variants and tactics.