Detection Techniques for Outlook NotDoor Backdoor Malware Uncovered by Researchers

The Splunk Threat Research Team has shed light on a new malware strain, NotDoor, which leverages Microsoft Outlook macros for stealthy backdoor operations.

First identified by the Spanish cybersecurity firm S2 Grupo through its Lab52 intelligence division, NotDoor has been linked to APT28, also known as Fancy Bear. This Russian state-aligned threat actor targets government and enterprise networks.

Outlook Macros as a Hidden Entry Point

Macros in Outlook have long been a lucrative vector for attackers because they run within a trusted application. NotDoor takes advantage of this by installing a malicious Visual Basic for Applications (VBA) macro inside Outlook’s default macro file, VbaProject.otm.

This file loads automatically at Outlook startup, enabling persistent access and code execution every time the mail client runs.

The infection typically begins when the attacker sideloads a malicious DLL into a legitimate OneDrive executable stored in C:ProgramData.

This process, known as DLL sideloading, tricks Windows into executing the fake SSPICLI.dll, while a renamed legitimate version prevents the program from crashing.

The DLL then executes encoded PowerShell commands to copy a macro-laden file, testtemp.ini, into the Outlook directory under AppDataRoamingMicrosoftOutlookVbaProject.otm.

Once embedded, the macro uses Outlook functions like Application_MAPILogonComplete and Application_NewMailEx to monitor incoming emails for specific triggers.

These triggers deliver commands from the attacker’s server, allowing NotDoor to exfiltrate data, send files, or run arbitrary PowerShell commands without raising alerts to the user.

Splunk’s Detection Methodology and Insights

To combat NotDoor and related threats, Splunk’s researchers developed detection analytics targeting its hallmark behaviors. Their findings pinpoint several techniques that can help defenders uncover such attacks in enterprise environments.

Key indicators include non-Outlook processes that create or modify VbaProject.otm, encoded PowerShell commands executed by OneDrive.exe, and unusual registry modifications under Outlook settings.

NotDoor alters keys such as LoadMacroProviderOnBoot and OutlookSecurityLevel to automatically enable macros and suppress warning dialogs. It also modifies the PONT_STRING registry entry to hide prompts, such as content download warnings, preventing user suspicion.

Splunk provides specific detection rules to identify these anomalies within its platform. These include analytics on encoded PowerShell usage, registry modifications related to macro persistence, and suspicious file-creation events tied to Outlook’s macro file.

The NotDoor case demonstrates how seemingly benign applications like Outlook can become practical command-and-control tools when macros are abused.

The research underscores the importance of monitoring macro execution paths, registry changes, and encoded script activity to uncover hidden backdoors before they lead to complete system compromise.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Detection Techniques for Outlook NotDoor Backdoor Malware Uncovered by Researchers appeared first on Cyber Security News.