APT28 spear-phishing: Outlook backdoor NotDoor and evolving European cyber threats

Historical Context: The Evolution of APT28

APT28 (Fancy Bear) has been active since at least 2004, operating as a state-sponsored cyber-espionage group linked to Russia’s GRU. However, its most heavily documented and globally recognized operations emerged from 2014 onward. That year marks a strategic shift, where APT28 adopted more aggressive, high-visibility tactics using advanced spear-phishing techniques and zero-day exploits.

Between 2008 and 2016, the group targeted several major geopolitical institutions, including:

• The Georgian Ministry of Defense (2008)
• NATO, the White House, and EU agencies (2014)
• The U.S. presidential election campaign (2016)

This period also saw extensive exposure of APT28 by cybersecurity firms such as FireEye and CrowdStrike, which highlighted the group’s growing sophistication and its use of malicious Word documents (maldocs), cloud-based command-and-control (C2) relays, and coordinated influence operations.

These earlier campaigns laid the foundation for APT28’s current operations in Europe — especially in France — and illustrate the persistent, evolving nature of the threat.

Priority targets for APT28 spear-phishing campaigns

Target typology in APT28 campaigns

APT28 targets include:

• Sovereign ministries (Defense, Interior, Foreign Affairs)
• Paris 2024 Olympics organizers and IT contractors
• Operators of vital importance (OIVs): energy, transport, telecoms
• Defense industrial and technological base (BITD) companies
• Research institutions (CNRS, INRIA, CEA)
• Local governments with strategic competencies
• Consulting firms active in European or sensitive matters

Historical Context: The Evolution of APT28

APT28 (Fancy Bear) has been active since at least 2004, operating as a state-sponsored cyber-espionage group linked to Russia’s GRU. However, its most heavily documented and globally recognized operations emerged from 2014 onward. That year marks a strategic shift, where APT28 adopted more aggressive, high-visibility tactics using advanced spear-phishing techniques and zero-day exploits.

Between 2008 and 2016, the group targeted several major geopolitical institutions, including:

• The Georgian Ministry of Defense (2008)
• NATO, the White House, and EU agencies (2014)
• The U.S. presidential election campaign (2016)

This period also saw extensive exposure of APT28 by cybersecurity firms such as FireEye and CrowdStrike, which highlighted the group’s growing sophistication and its use of malicious Word documents (maldocs), cloud-based command-and-control (C2) relays, and coordinated influence operations.

These earlier campaigns laid the foundation for APT28’s current operations in Europe — especially in France — and illustrate the persistent, evolving nature of the threat.

Spear-phishing and electoral destabilization in Europe

Political and geopolitical context of APT28 campaigns

APT28’s campaigns often precede key elections or diplomatic summits, such as the 2017 French presidential election, the 2019 European elections, or the upcoming Paris 2024 Olympic Games. These are part of a broader hybrid strategy aimed at destabilizing the EU.

Some spear-phishing attacks are synchronized with disinformation operations to amplify internal political and social tensions within targeted nations. This dual tactic aims to undermine public trust in democratic institutions.

Reference: EU DisinfoLab – Russia-backed disinformation narratives

Germany and NATO have also reported a resurgence of APT28 activities, particularly against NATO forces stationed in Poland, Lithuania, and Estonia. This strategic targeting of European institutions is part of a broader effort to weaken collective security in the EU.

Other APT28 campaigns between CVE-2023-23397 and NotDoor

Between the Outlook zero-day CVE-2023-23397 and the emergence of the NotDoor Outlook backdoor, APT28 sustained a steady cadence of precision intrusions. The group leveraged widely deployed enterprise software to deliver APT28 spear-phishing chains at scale, moving from classic maldocs to Outlook-centric compromise and covert exfiltration.

Takeaway. These campaigns show a tactical progression from maldoc & archive abuse toward Outlook-centric backdoors, culminating with NotDoor’s Outlook VBA macro phishing, DLL side-loading via OneDrive.exe, and Proton Mail covert exfiltration.

NotDoor: a new Outlook backdoor in APT28’s toolchain

NotDoor represents a tactical leap in APT28 spear-phishing chains: instead of only abusing delivery vectors, the operators weaponize Microsoft Outlook itself. A malicious VBA macro hooks mailbox events, watches for keyword triggers in new mail, and—on match—executes commands, stages files, and exfiltrates data. This Outlook-centric backdoor blends with daily workflows, reduces telemetry noise, and undermines perimeter detections.

How the backdoor operates

• Initial foothold: Outlook VBA macro phishing seeded via targeted messages or trust-store abuse (macro-enabled project in the user profile).
• Mailbox surveillance: event handlers monitor incoming emails for operator tasking (e.g., “Daily Report”, “Timesheet”, summit- or exercise-themed lures).
• Tasking & execution: the macro launches system commands, enumerates files and mailbox items, compresses artifacts, and uploads follow-on payloads.
• Defense evasion: DLL side-loading via OneDrive.exe loads a malicious library behind a trusted Microsoft binary to degrade signature-based controls.
• Covert egress: Proton Mail covert exfiltration camouflages outbound traffic among legitimate encrypted flows.

Where NotDoor fits vs HeadLace & CVE-2023-23397

Detection & hunts (behavior-first)

• Macro exposure: disable Outlook VBA by policy; alert on macro project creation/enable in Office trust stores.
• Process chains: flag OUTLOOK.EXE spawning script interpreters, archivers, or shells; correlate with mailbox event timing.
• Side-loading: monitor OneDrive.exe module loads from non-system paths; detect unsigned or unexpected DLLs co-located with it.
• Mailflow anomalies: DLP/heuristics for sudden encrypted egress to privacy providers from workstation hosts; compressed archives leaving via mail.
• Keyword intel: hunt for mailbox rules/macros using operational terms (e.g., “report”, “invoice”, exercise names, event code-words).

MITRE ATT&CK mapping (core techniques)

• T1204 — User Execution: malicious file/macro (Outlook VBA project)
• T1059 — Command & Scripting Interpreter (cmd/PowerShell/WScript)
• T1574.002 — Hijack Execution Flow: DLL Side-Loading (OneDrive.exe)
• T1041 — Exfiltration Over C2 Channel (encrypted mail channel)

Operational hardening (sovereign posture)

• Harden Outlook (disable macros by default; restrict trusted locations; block unsigned VBA).
• Instrument Outlook/OneDrive behaviors and alert on risky child-process or module-load patterns.
• Adopt sovereign email encryption HSM: use DataShielder HSM PGP for end-to-end encryption with volatile-memory decryption only; pair with PassCypher HSM PGP for offline OTP/credential custody.

APT28 attribution and espionage objectives

• Attribution: Main Intelligence Directorate (GRU), Unit 26165
• Key techniques: Targeted phishing, Outlook vulnerabilities, compromise of routers and peripheral devices
• Objectives: Data exfiltration, strategic surveillance, disruption of critical operations

APT28 also coordinates technical operations with information warfare: fake document distribution, disinformation campaigns, and exploitation of leaks. This “influence” component, though less covered in mainstream reports, significantly amplifies the impact of technical attacks.

Observed campaigns and methods (2022–2025)

🔗 See also: ENISA Threat Landscape 2024 – Cyberespionage Section

Mapping APT28 to the Cyber Kill Chain

Tactics and Infrastructure: Increasing Sophistication

APT28 campaigns are distinguished by a high degree of stealth:

• Domain spoofing via homographs (e.g. gov-fr[.]net).
• Real-time payload encryption.
• Using legitimate cloud services like GitHub, Dropbox, or Trello as a C2 relay.
• Hosting on anonymized infrastructures (Fast Flux DNS, bulletproof hosting).
• Non-persistent attacks: ephemeral access, rapid exfiltration, immediate wipe. This approach makes detection particularly complex, as it drastically reduces the window of opportunity for forensic analysis, and the attacker’s infrastructure is often destroyed rapidly after compromise.

This mastery of technical obfuscation makes detection particularly complex, even for the most advanced SIEM systems and EDRs.

Evolution of APT28 spear-phishing campaigns (2014–2025)

This timeline highlights the major APT28 spear-phishing offensives in Europe, from early credential harvesting and the 2017 Macron campaign to Microsoft Outlook exploits in 2020 and large-scale energy sector intrusions culminating in 2025.

APT28 spear-phishing timeline (2014–2025) — Key campaigns include credential harvesting, the 2017 Macron leak, Outlook phishing exploits in 2020, and critical infrastructure attacks in the European energy sector through 2025.

APT28 malware matrix (Outlook-centric chains)

This matrix summarizes the Outlook-focused toolchain observed in APT28 spear-phishing campaigns, highlighting purpose, triggers, evasions, and succinct detections to operationalize hunts.

Official report — CERTFR-2025-CTI-006

Title: Targeting and compromise of French entities using APT28 tradecraft
Publisher: CERT-FR (ANSSI) — 29 April 2025

• Scope: Analysis of APT28 campaigns against French government, diplomatic and research bodies (2021–2024), with spillover to wider Europe.
• Attribution: APT28 (Fancy Bear / Sofacy), linked to Russia’s GRU Unit 26165.
• Key TTPs: Targeted spear-phishing, Outlook abuse (incl. CVE-2023-23397), short-dwell intrusions, cloud C2 relays, coordinated information ops.
• Operational risks: Credential theft → lateral movement; data exfiltration; disruption potential for critical operators.
• Defensive priorities: Patch hygiene; macro hardening; behavior monitoring for OUTLOOK.EXE/OneDrive.exe; DLP on encrypted egress; ATT&CK mapping for hunts (T1204, T1059, T1574.002, T1041).

Links — Official page: CERTFR-2025-CTI-006 · Full PDF: download

Takeaway — The report corroborates the shift of APT28 spear-phishing toward Outlook-centric chains and reinforces the need for behavior-first detection and sovereign encryption/HSM controls.

ANSSI’s operational recommendations

• Apply security patches (known CVEs) immediately.
• Audit peripheral equipment (routers, appliances).
• Deploy ANSSI-certified EDRs to detect anomalous behavior.
• Train users with realistic spear-phishing scenarios.
• Segment networks and enforce the principle of least privilege.
• Disable Outlook VBA macros by default via group policy; restrict Office trusted locations; block unsigned macros.
• Instrument Outlook & OneDrive process behavior: alert on OUTLOOK.EXE spawning script interpreters and on OneDrive.exe loading DLLs from non-system paths.
• Mailflow controls: DLP/heuristics for unexpected encrypted egress to privacy providers (e.g., Proton Mail) from workstation hosts.
• Sovereign channeling for sensitive comms: use DataShielder HSM PGP to end-to-end encrypt messages with volatile-memory decryption only; pair with PassCypher HSM PGP for offline OTP/credential custody.
• Threat hunting: search for anomalous Outlook rules/macros, compressed archives in sent items, and keyword-based mailbox automations.
• Map NotDoor hunts to MITRE ATT&CK: T1204 (User Execution: Malicious File/Macro), T1059 (Command and Scripting Interpreter), T1574.002 (Hijack Execution Flow: DLL Side-Loading), T1041 (Exfiltration Over C2 Channel).

For detailed guidance, refer to the ANSSI recommendations.

Regulatory framework: French response to spear-phishing

• Military Programming Law (LPM): imposes cybersecurity obligations on OIVs and OESs.
• NIS Directive and French transposition: provides a framework for cybersecurity obligations.
• SGDSN: steers the strategic orientations of national cybersecurity.
• Role of the ANSSI: operational referent, issuer of alerts and recommendations.
• EU-level Initiatives: Complementing national efforts like those led by ANSSI in France, the NIS2 Directive, the successor to NIS, strengthens cybersecurity obligations for a wider range of entities and harmonizes rules across European Union Member States. It also encourages greater cooperation and information sharing between Member States.

Sovereign solutions: DataShielder & PassCypher against spear-phishing

Sovereign solutions: DataShielder & PassCypher against spear-phishing

DataShielder NFC HSM: An alternative to traditional MFA authentication

Most of APT28’s spear-phishing publications recommend multi-factor authentication. However, this MFA typically relies on vulnerable channels: interceptable SMS, exposed cloud applications, or spoofed emails. DataShielder NFC HSM introduces a major conceptual breakthrough:

These controls provide a sovereign email encryption HSM approach for sensitive exchanges.

This solution is aligned with a logic of digital sovereignty, in line with the recommendations of the ANSSI.

DataShielder HSM PGP can encrypt all types of emails, including Gmail, Outlook, Yahoo, LinkedIn, Yandex, HCL Domino, and more. It encrypts messages end-to-end and decrypts them only in volatile memory, ensuring maximum privacy without leaving a clear trace.

PassCypher HSM PGP enhances the security of critical passwords and TOTP/HOTP codes through:

• 100% offline operation without database or server
• Secure input field in a dedicated tamper-proof sandbox
• Protection native contre les attaques BITB (Browser-in-the-Browser)
• Automatic sandbox that checks original URLs before execution
• Secure management of logins, passwords, and OTP keys in a siloed environment

En savoir plus : BITB attacks – How to avoid phishing by iframe

These solutions fit perfectly into sovereign cyber defense architectures against APTs.