Back to Intelligence

Operation MacroMaze: Decoding APT28’s Webhook-Based Assault on Europe

SA
Security Arsenal Team
February 23, 2026
5 min read

In the constantly shifting landscape of cyberespionage, the Russian-linked threat actor known as APT28 (or Fancy Bear) continues to prove why they remain a persistent adversary. Security Arsenal analysts have been tracking a new wave of activity attributed to this group, specifically targeting entities across Western and Central Europe.

Dubbed Operation MacroMaze by researchers at S2 Grupo’s LAB52, this campaign—which ran from September 2025 through January 2026—highlights a troubling trend: the weaponization of legitimate services and "basic" tooling to bypass sophisticated defenses. By relying on webhook-based macro malware, APT28 is effectively turning legitimate infrastructure into a command-and-control (C2) channel, making detection significantly more difficult for traditional signature-based solutions.

The Threat: Reinventing the Macro

For years, security professionals have warned about the dangers of macros in Microsoft Office documents. While Microsoft has rolled out various security features to block untrusted macros, APT28 has found a way to pivot. Instead of using the macro to drop a heavy, noticeable payload immediately, the macro in Operation MacroMaze acts as a bridge.

It leverages webhook URLs—often associated with legitimate automation workflows or messaging platforms—to exfiltrate data or receive further instructions. This technique allows the attacker to blend in with normal network traffic. Since the traffic is directed towards legitimate domains hosting these webhook services, firewalls and network proxies that rely on IP reputation often fail to flag the connections.

Deep Dive: TTPs and Attack Vectors

Operation MacroMaze relies heavily on social engineering. The attack chain typically begins with a spear-phishing email containing a malicious attachment, often masquerading as a policy document or an invoice relevant to the target sector.

The Attack Chain

  1. Initial Access: A user opens a weaponized Office document.
  2. Execution: The document prompts the user to enable content (or exploits a vulnerability if macros are restricted). Once active, the VBA macro code executes.
  3. C2 Communication: Instead of connecting to a known malicious IP, the macro constructs an HTTP POST request to a webhook URL.
  4. Data Exfiltration: Sensitive data (e.g., system info, credentials) is encoded and sent as the payload of the webhook request.

This method is effective because it exploits the trust in legitimate cloud services. Furthermore, the use of "basic tooling"—standard Windows utilities and scripting languages embedded in the macros—reduces the footprint of the malware, making it harder for heuristic engines to flag the file as malicious.

Detection and Threat Hunting

Detecting this type of activity requires a shift from looking for bad files to looking for bad behavior. Security teams must monitor for anomalous process execution patterns and network connections originating from Office applications.

KQL Queries for Microsoft Sentinel/Defender

The following KQL query helps identify Office processes spawning suspicious child processes or making network connections to non-Microsoft endpoints.

Script / Code
let OfficeProcesses = dynamic(["winword.exe", "excel.exe", "powerpnt.exe", "mspub.exe"]);
DeviceProcessEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName in~ (OfficeProcesses)
| where ProcessFileName in~ ("powershell.exe", "cmd.exe", "cscript.exe", "wscript.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessFileName, AccountName, FolderPath
| summarize Count = count() by DeviceName, InitiatingProcessFileName, ProcessFileName
| order by Count desc


To hunt for the specific webhook behavior, we can look for network connections made by Office processes to non-Microsoft domains or known webhook providers.

let OfficeProcs = dynamic(["winword.exe", "excel.exe", "powerpnt.exe"]);
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ (OfficeProcs)
| where RemoteUrl !contains "microsoft" and RemoteUrl !contains "office" and RemoteUrl !contains "windows"
| extend WebhookIndication = iff(RemotePort == 443 and RequestSize > 100, "Potential Exfil", "Suspicious Traffic")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, WebhookIndication

PowerShell Investigation Script

Use the following PowerShell script to audit recent security event logs for macro-related warnings or Office applications spawning shells on a specific endpoint.

Script / Code
$Date = (Get-Date).AddDays(-7)
$Events = Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; StartTime=$Date; ID=1} -ErrorAction SilentlyContinue

if ($Events) {
    $SuspiciousActivity = $Events | Where-Object {
        $_.Message -match 'winword.exe' -or $_.Message -match 'excel.exe'
    } | Where-Object {
        $_.Message -match 'powershell.exe' -or $_.Message -match 'cmd.exe'
    }
    
    if ($SuspiciousActivity) {
        Write-Host "[!] Potential macro-based spawning activity detected:" -ForegroundColor Red
        $SuspiciousActivity | Select-Object TimeCreated, Id, Message | Format-List
    } else {
        Write-Host "[-] No suspicious macro spawning activity found in the last 7 days." -ForegroundColor Green
    }
} else {
    Write-Host "[!] No Sysmon events found or Sysmon is not running." -ForegroundColor Yellow
}

Mitigation Strategies

Protecting your organization from Operation MacroMaze requires a layered defense approach that focuses on reducing the attack surface and limiting the usefulness of macros.

  1. Strict Macro Policy: Enforce a policy that blocks macros from the internet by default via Mark-of-the-Web (MOTW). Ensure users cannot bypass this setting.

  2. Attack Surface Reduction (ASR) Rules: Enable the ASR rule "Block applications from creating child processes" specifically for Office applications. This effectively stops the macro from spawning PowerShell or CMD.

  3. Network Egress Filtering: While difficult due to the use of legitimate services, implement strict DNS filtering and proxy rules to limit access to known webhook provider domains that are not business-critical.

  4. User Education: Continuously train users to recognize spear-phishing attempts. The initial entry point for Operation MacroMaze is almost certainly a malicious email.

APT28’s Operation MacroMaze serves as a stark reminder that threat actors continue to evolve. By combining old tactics like macros with new infrastructure like webhooks, they challenge our assumptions about what "safe" traffic looks like. Vigilance, combined with robust hunting queries, is your best defense.

Related Resources

Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub

alert-fatiguetriagealertmonitorsocapt28macro-malwarethreat-huntingwebhook-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action