Network Security, Data Security, Malware, Email security, Exposure management

‘NotDoor’ malware tied to Russia’s APT28 exploits Microsoft Outlook

A smartphone displaying the logo of Microsoft Outlook in the App Store.

A new backdoor for Outlook attributed to the Russia-linked APT28 threat group has compromised multiple companies across a broad range of vertical sectors in NATO-based countries.

The backdoor — dubbed “NotDoor” because of the word “Nothing” within the code, runs as a VBA macro for Outlook that’s designed to monitor incoming emails for a specific trigger word.

When one of the emails gets detected by the malicious code, it then lets the attacker exfiltrate data, upload files, and execute commands on a victim’s computer, according to a Sept. 3 blog post by LAB52, the intelligence team at S2 Grupo.

“This [case] highlights the ongoing evolution of APT28, demonstrating how it continually generates new artefacts capable of bypassing established defense mechanisms,” wrote the LAB52 researchers.

Casey Ellis, founder at Bugcrowd, called the case significant, pointing out that the use of Microsoft Outlook as a vector by APT28 is particularly concerning because of its ubiquity in business environments.

“APT28 leveraging Outlook macros as a covert communication and data exfiltration channel underscores the importance of hardening email systems and endpoint defenses,” said Ellis. “This isn’t just about patching vulnerabilities, it’s about recognizing that trusted applications like Outlook can be weaponized in ways that bypass traditional defenses.”

Noelle Murata, senior security engineer at Xcape Inc., said APT28 has transformed Outlook into a hidden backdoor by exploiting it with NotDoor, turning a widely trusted business application into a covert threat.

“Its use of trigger words to enable malicious actions keeps it undetectable by deleting the initial email, and once triggered, it can steal data or carry out commands,” said Murata. “This highlights the need for multi-layered security measures, as conventional email filters are insufficient to detect this type of attack.”

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds