In the cybersecurity landscape, persistence is often the difference between a nuisance and a breach. Few groups embody this reality better than APT28 (Fancy Bear), the Russia-linked state-sponsored actor notorious for its relentless campaigns against Western targets. Between September 2025 and January 2026, S2 Grupo's LAB52 threat intelligence team uncovered a distinct wave of activity attributed to this actor, codenamed Operation MacroMaze.

Unlike the sophisticated zero-day exploits often associated with nation-state groups, Operation MacroMaze relied on a combination of basic tooling and the exploitation of legitimate services. Specifically, the campaign targeted entities in Western and Central Europe using a novel delivery mechanism: webhook-based macro malware.

The Mechanics of Operation MacroMaze

The core of Operation MacroMaze lies in its abuse of trusted infrastructure. Historically, macro malware involves embedded Visual Basic for Applications (VBA) code in documents (Excel, Word) that downloads a payload when the user enables content. APT28 has refined this by integrating webhooks directly into the attack chain.

Understanding the Attack Vector

A webhook is an HTTP callback used to provide real-time data to other applications. By weaponizing webhooks, APT28 effectively turned legitimate automation features into Command and Control (C2) channels.

1. Initial Access: The campaign began with traditional phishing emails distributing malicious Office documents. These documents likely used social engineering themes relevant to European geopolitical or economic interests.
2. Execution: Upon opening the document and enabling macros, the VBA code executed. Instead of contacting a suspicious IP address immediately, the macro reached out to legitimate services via webhook endpoints or injected data into standard web requests.
3. C2 Communication: By tunneling data through legitimate services (often used for project management, messaging, or data aggregation), the attackers blended their traffic in with normal business traffic. This "Living off the Land" (LotL) approach makes detection significantly harder for firewalls and basic network monitoring tools.

Tactical Analysis (TTPs)

Operation MacroMaze demonstrates APT28's adaptability. The threat actor understood that traditional malware signatures trigger alerts. Therefore, they focused on:

• API Abuse: Using legitimate APIs to exfiltrate data or receive instructions.
• Fileless Execution: Macros running directly in memory to minimize disk footprint.
• Geographic Targeting: Precision attacks on Western and Central European entities suggest specific espionage goals rather than broad financial gain.

Detection and Threat Hunting

Detecting Operation MacroMaze requires moving beyond signature-based detection and focusing on behavioral analysis. Security Operations Centers (SOCs) should look for anomalies in Office application behavior and unusual network traffic patterns originating from productivity suites.

KQL Queries (Microsoft Sentinel / Defender)

To identify potential macro activity communicating with external endpoints, run the following KQL query. This hunts for Office processes spawning network connections to non-Microsoft domains, which is highly suspicious.

DeviceNetworkEvents
| where Timestamp >= ago(30d)
| where InitiatingProcessFileName in~ ('winword.exe', 'excel.exe', 'powerpnt.exe')
| where RemoteUrl !contains '.microsoft.com' 
and RemoteUrl !contains '.office.com' 
and RemoteUrl !contains '.office365.com'
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemotePort, InitiatingProcessCommandLine
| summarize count() by DeviceName, RemoteUrl, InitiatingProcessFileName
| where count_ > 0
| order by count_ desc

Furthermore, since the attack utilizes webhook functionality often associated with automation services, hunting for specific script blocks often used in these macros is crucial.

DeviceFileEvents
| where Timestamp >= ago(30d)
| where FileName in~ ('normal.dotm', 'Wordstart.upd') or FileName endswith '.docm'
| where InitiatingProcessFileName in~ ('winword.exe', 'excel.exe')
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessCommandLine
| take 100

PowerShell Hunting Script

Use this PowerShell script to scan recent user directories for Office documents containing VBA macros that utilize common webhook-related keywords (like "webhook", "slack", "discord", or "api").

$Path = "C:\Users\"
$Days = 30
$Keywords = @("webhook", "api.openai.com", "discord.com", "slack.com", "POST /api")

Get-ChildItem -Path $Path -Recurse -Include *.docm, *.xlsm, *.pptm -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-$Days) } |
ForEach-Object {
    $Content = Get-Content $_.FullName -Raw -ErrorAction SilentlyContinue
    if ($Content -match ($Keywords -join '|')) {
        Write-Host "Potential threat found: $($_.FullName)" -ForegroundColor Yellow
    }
}

Mitigation Strategies

Defending against sophisticated threats like APT28 requires a layered security posture. Here are specific, actionable steps to harden your environment against Operation MacroMaze and similar attacks:

1. Strict Macro Policies: Disable macros from the internet entirely via Group Policy. Ensure that only digitally signed macros from trusted locations are allowed to run. powershell

   Example Group Policy registry check

    Get-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings"

2. Mark of the Web (MotW): Ensure your antivirus and endpoint detection solutions utilize "Mark of the Web" tags. Files downloaded from the internet should be tagged, and macros within them should be blocked automatically without user interaction.
3. Network Segmentation and Egress Filtering: Implement strict egress filtering. If your business does not use certain automation platforms or webhook services, block access to those domains from user subnets. Prevent Office applications from accessing the internet directly unless absolutely necessary.
4. Application Hardening: Attack Surface Reduction (ASR) rules in Microsoft Defender are highly effective here. Enable the rule: "Block applications from creating child processes" specifically for Office apps, if business workflows allow, or "Block Office applications from creating executable content."

Conclusion

Operation MacroMaze is a reminder that threat actors like APT28 continue to evolve by abusing the very tools designed to increase productivity. By leveraging webhook-based macro malware, they effectively blur the line between legitimate business traffic and malicious C2 activity. Staying ahead requires vigilance, robust hunting queries, and strict enforcement of macro policies.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub