Operation MacroMaze: APT28 abusing webhooks for C2

Just caught the latest intel from S2 Grupo's LAB52 team regarding APT28. They've been busy with 'Operation MacroMaze,' specifically targeting entities in Western and Central Europe between September '25 and January '26.

What stands out here isn't sophisticated zero-days—it's the tradecraft shift. Instead of setting up a standard C2 infrastructure that's easy to blacklist, they are leveraging webhook-based malware inside macros. This effectively abuses legitimate services (likely generic HTTP endpoints or notification services) for command and control, making network detection significantly harder since the traffic blends in with legitimate API calls.

Given the timeline, if you have ties to Central Europe, I'd recommend scrubbing your logs for Office applications spawning unexpected processes or making outbound connections to unusual endpoints.

Here is a basic KQL query I'm using to hunt for this behavior, focusing on Word/Excel making outbound POST requests (common for webhooks):

DeviceProcessEvents
| where InitiatingProcessFileName in ~("winword.exe", "excel.exe", "powerpnt.exe")
| where NetworkDirection == "Outbound"
| where ActionType == "ConnectionSuccess"
| where RemotePort in (443, 80)
| extend URL = strcat(RemoteUrl, ":", RemotePort)
| project Timestamp, DeviceName, InitiatingProcessCommandLine, FileName, URL, RemoteIP
| sort by Timestamp desc

Since they rely on 'basic tooling' as the report notes, standard macro blocking policies should theoretically stop this, but phishing templates are getting better at bypassing user training.

How is everyone handling the macro enforcement balance? Are you blocking all internet-enabled macros entirely via GPO, or do you rely on specific ASR rules?