A Closer Look at Outlook Macros and More

Nov. 17, 2025, 9:53 a.m.

Description

The analysis examines NotDoor, a backdoor utilizing Outlook macros for persistence and lateral movement. It stages files in C:\ProgramData, employing DLL sideloading with OneDrive.exe. The malware creates directories, executes encoded PowerShell commands, and modifies registry entries to enable macros and disable security dialogs. Key tactics include using Outlook functions for C2 communication and email monitoring. The blog provides detection strategies, including monitoring for suspicious PowerShell commands, registry modifications, and creation of VbaProject.OTM files by non-Outlook processes. Splunk-based detection rules are offered to identify these malicious activities.

External References

https://www.splunk.com/en_us/blog/security/notdoor-insights-a-closer-look-at-outlook-macros-and-more.html
https://otx.alienvault.com/pulse/6918053de7168eb74ccc9461
Tags
backdoor
powershell
persistence
dll sideloading
c2
notdoor
2025-11-15
registry modification
outlook macros

Date

  • Created: Nov. 15, 2025, 4:44 a.m.
  • Published: Nov. 15, 2025, 4:44 a.m.
  • Modified: Nov. 17, 2025, 9:53 a.m.

Attack Patterns

  • NotDoor
  • APT28 (Fancy Bear)