NotDoor Outlook Macro Threat Analysis

Overview

In early March 2026 the Splunk Threat Research Team released a detailed examination of the NotDoor backdoor, a sophisticated malware family that exploits native Outlook macros and DLL sideloading to establish persistence and exfiltrate data on Windows workstations. The report, titled NotDoor Insights: A Closer Look at Outlook Macros and More, documents how attackers combine classic persistence techniques with modern obfuscation to bypass traditional defenses.

Attack Vector

NotDoor arrives on a victim machine as a seemingly innocuous set of files staged in C:\ProgramData. The payload bundle includes a legitimate OneDrive executable, a malicious SSPICLI.dll that is loaded via DLL sideloading, a renamed copy of that DLL named tmp7E9C.dll, and a VBA macro file called testtemp.ini. Once the macro is executed, it creates a temporary folder in the user’s %TEMP% directory where it stores additional artifacts.

DLL Sideloading (T1574.001)

The core of the delivery mechanism is DLL sideloading. By placing a malicious SSPICLI.dll in the same folder as OneDrive.exe, the attacker tricks the legitimate application into loading the attacker’s code instead of the genuine DLL. The malicious DLL then references tmp7E9C.dll, a renamed copy of the original SSPICLI.dll, to avoid crashes and maintain persistence. Because OneDrive often runs with elevated privileges, this technique grants the attacker a reliable foothold.

Encoded PowerShell (T1027.010)

Once the DLL is loaded, it launches a series of base64‑encoded PowerShell commands. These commands perform network checks that send the victim’s username to external services such as dnshook.site and webhook.site for validation. More importantly, they copy the testtemp.ini file to the user’s AppData\Roaming\Microsoft\Outlook\VbaProject.OTM file, effectively installing the malicious macro into Outlook’s central macro repository.

Outlook Macro Persistence (T1137.005)

The VbaProject.OTM file is where Outlook stores all VBA scripts. By writing this file from outside Outlook.exe, NotDoor ensures that its macro runs automatically when Outlook starts or when a new email arrives. The macro hooks Application_MAPILogonComplete and Application_NewMailEx events, allowing the attacker to exfiltrate data, upload files, and execute commands while using Outlook as a covert C2 channel.

Registry Manipulation (T1112)

Beyond file placement, the malicious DLL modifies several Outlook registry keys. It sets LoadMacroProviderOnBoot to 1, enabling automatic macro loading at startup. It also changes the Level key to 1, disabling all macro warnings so that users are not notified when macros execute. Finally, the PONT_STRING key is edited to suppress the Content Download Warning dialog, preventing users from seeing alerts about potentially malicious content.

Detection Strategy

Security teams can detect NotDoor by monitoring for:

  • Creation of VbaProject.OTM by any process other than Outlook.exe
  • Modification of Outlook registry keys LoadMacroProviderOnBoot, Level, and PONT_STRING by suspicious processes
  • Execution of OneDrive.exe that spawns PowerShell with base64‑encoded arguments
  • Unexpected DLL sideloading in the OneDrive directory

Splunk Analytic Story Highlights

The Splunk Threat Research Team released a set of detection queries that focus on these behaviors:

  • Encoded PowerShell detection using regex on process command lines
  • Registry monitoring for the three Outlook keys mentioned above
  • File creation monitoring for VbaProject.OTM by non‑Outlook processes

These queries can be deployed as a single analytic story, enabling rapid alerting and incident response for organizations using Splunk Enterprise Security.

Recommendations

To mitigate NotDoor and similar macro‑based threats, analysts should:

  • Enforce least‑privilege execution for OneDrive and other system utilities
  • Disable automatic macro loading in Outlook via Group Policy and ensure the Level key is set to 3 or 4
  • Implement application whitelisting to block unauthorized DLLs in critical directories
  • Deploy file integrity monitoring for AppData\Roaming\Microsoft\Outlook\VbaProject.OTM
  • Leverage PowerShell logging to capture encoded commands and alert on suspicious patterns

In addition, security teams should conduct regular macro auditing within Outlook, review user permissions for email handling, and maintain up‑to‑date endpoint detection and response coverage to catch lateral movement attempts.

Conclusion

NotDoor demonstrates how attackers can blend legacy techniques such as DLL sideloading and Outlook macros with modern obfuscation to create a stealthy, persistent threat. By focusing on the unique footprint left by these behaviors—registry changes, file creations, and encoded PowerShell—we can detect and neutralize this malware before it can exfiltrate data or spread laterally within an organization.

Looking for the Best Cyber Security?

Seamlessly integrate local and cloud resources with our comprehensive cybersecurity services. Protect user traffic at endpoints using advanced security solutions like threat hunting and endpoint protection. Build a scalable network infrastructure with continuous monitoring, incident response, and compliance assessments.

Contact Us

Copyright © 2025 ESSGroup

Discover more from ESSGroup

Subscribe now to keep reading and get access to the full archive.

Continue reading