{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/notdoor/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Outlook","Splunk Enterprise Security","Splunk Cloud","Splunk Enterprise"],"_cs_severities":["high"],"_cs_tags":["outlook","registry_modification","malware","notdoor"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis threat brief addresses a technique where a process other than Outlook modifies the \u003ccode\u003ePONT_STRING\u003c/code\u003e registry value within Outlook\u0026rsquo;s options. This modification disables certain dialog popups within Outlook, which can allow malicious scripts or actions to execute without user consent or notification. The activity is associated with malware families such as NotDoor. Attackers may leverage this to harvest email information or bypass security warnings. The technique involves modifying the Windows Registry key \u003ccode\u003eHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\\u0026lt;version\u0026gt;\\Outlook\\Options\\General\\PONT_STRING\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., through phishing or exploiting a software vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious program or script (e.g., PowerShell or VBScript).\u003c/li\u003e\n\u003cli\u003eThe malicious program identifies the Outlook installation and its corresponding registry path.\u003c/li\u003e\n\u003cli\u003eThe malicious program modifies the \u003ccode\u003ePONT_STRING\u003c/code\u003e value under the \u003ccode\u003eHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\\u0026lt;version\u0026gt;\\Outlook\\Options\\General\\\u003c/code\u003e key.\u003c/li\u003e\n\u003cli\u003eThis modification disables Outlook\u0026rsquo;s dialog popups.\u003c/li\u003e\n\u003cli\u003eThe attacker executes further malicious actions, such as harvesting email credentials or injecting malicious content into emails, without user prompts.\u003c/li\u003e\n\u003cli\u003eExfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass security warnings and execute malicious code within the context of Microsoft Outlook. This can lead to unauthorized access to sensitive email data, credential theft, and the deployment of further malware. While the number of affected organizations is currently unknown, any organization using Microsoft Outlook is potentially at risk. Disabling Outlook dialogs is a common tactic used by malware families like NotDoor to facilitate data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 13 (Registry events) to monitor registry modifications, as indicated in the rule\u0026rsquo;s \u003ccode\u003edata_source\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eOutlook Dialogs Disabled by Non-Outlook Process\u003c/code\u003e to detect this specific registry modification. Tune the rule using the filter macro as described in the original source.\u003c/li\u003e\n\u003cli\u003eInvestigate any registry modifications to the \u003ccode\u003eHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\\u0026lt;version\u0026gt;\\Outlook\\Options\\General\\PONT_STRING\u003c/code\u003e key by processes other than \u003ccode\u003eOutlook.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or unknown scripts and executables.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-outlook-dialog-disabled/","summary":"The detection identifies the modification of the Windows Registry key 'PONT_STRING' under Outlook Options by a process other than Outlook.exe, potentially indicating malware activity such as NotDoor.","title":"Outlook Dialogs Disabled by Unusual Process","url":"https://feed.craftedsignal.io/briefs/2024-01-outlook-dialog-disabled/"}],"language":"en","title":"CraftedSignal Threat Feed — Notdoor","version":"https://jsonfeed.org/version/1.1"}