Threat Overview

In a recent publication dated November 15, 2025, security researchers at AlienVault released a detailed report on a sophisticated malware family known as NotDoor. The threat actor behind NotDoor leverages Microsoft Outlook macros as a vehicle for persistence, lateral movement, and command‑and‑control (C2) communications. The report provides an in‑depth look at the malware’s architecture, the tactics, techniques, and procedures (TTPs) it employs, and actionable detection and mitigation recommendations for security analysts.

Persistence and Lateral Movement via Outlook Macros

NotDoor’s primary persistence mechanism is the installation of malicious VBA code within Outlook. The malware creates a VbaProject.OTM file in the user’s Outlook profile and enables macros through a series of registry tweaks. By doing so, it ensures that every time Outlook starts, the malicious code is executed automatically. In addition to persistence, the macro code is used to stage payloads in the C:\ProgramData directory, where it drops a collection of DLLs and a OneDrive.exe stub. The DLLs are loaded through a technique known as DLL sideloading, allowing the malware to masquerade as a legitimate system component while executing its own malicious routines.

DLL Sideloading and OneDrive.exe Exploitation

OneDrive.exe is a trusted Windows component that the malware hijacks by placing a malicious DLL in the same folder. When the stub is launched, it loads the DLL, which in turn spawns an encoded PowerShell script. The PowerShell payload performs a number of destructive actions: it creates additional directories, writes more DLLs, and modifies registry keys to disable security prompts and enable macros. This chain of events allows the attacker to maintain a foothold, move laterally across the network, and establish a robust C2 channel.

Command and Control via Outlook

NotDoor uses Outlook’s native messaging infrastructure to send and receive commands. The malware monitors the user’s inbox for specially crafted emails that contain encoded instructions. By embedding commands within email bodies or attachments, the threat actor can issue remote instructions without the need for a traditional network connection. This approach makes detection more challenging, as the traffic appears to be ordinary email traffic rather than malicious outbound data.

Detection Strategies

The report outlines several detection techniques that security analysts can deploy immediately:

• Monitor for the creation of VbaProject.OTM files by processes other than Outlook.
• Watch for registry modifications that enable macros or disable security dialogs.
• Track the execution of encoded PowerShell commands that write files to C:\ProgramData.
• Identify DLL sideloading events involving OneDrive.exe or other trusted system binaries.
• Implement Splunk rules that flag suspicious email monitoring behaviors and outbound connections to known malicious domains.

Recommendations for Security Analysts

To protect against NotDoor, analysts should adopt a multi‑layered approach:

1. Disable Outlook Macros by Default – Enforce group policy settings that block macro execution unless explicitly signed by a trusted source.
2. Implement Application Whitelisting – Restrict the execution of DLLs and executables to a curated list of approved binaries.
3. Enhance Email Filtering – Use advanced threat protection to scan for encoded commands and malicious attachments.
4. Deploy Endpoint Detection and Response (EDR) – Configure sensors to alert on PowerShell activity, registry changes, and file writes to system directories.
5. Leverage SIEM Rules – Import the Splunk detection rules provided in the report and customize them to your environment.
6. Regularly review user accounts for unusual macro activity and reset credentials if suspicious behavior is detected.

Conclusion

NotDoor represents a significant evolution in the use of legitimate Office tools for malicious purposes. By exploiting Outlook macros, DLL sideloading, and PowerShell, the threat actor achieves persistence, lateral movement, and stealthy command and control. The detailed detection rules and mitigation steps outlined in the AlienVault report provide a practical roadmap for security teams to defend against this advanced threat. Analysts are encouraged to review the full report and integrate the recommended controls into their security operations immediately.

For more information, visit the official AlienVault pulse and the Splunk blog linked in the report.

External References:

• https://www.splunk.com/en_us/blog/security/notdoor-insights-a-closer-look-at-outlook-macros-and-more.html
• https://otx.alienvault.com/pulse/6918053de7168eb74ccc9461