Notdoor — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/notdoor/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000Outlook Dialogs Disabled by Unusual Processhttps://feed.craftedsignal.io/briefs/2024-01-outlook-dialog-disabled/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-outlook-dialog-disabled/The detection identifies the modification of the Windows Registry key 'PONT_STRING' under Outlook Options by a process other than Outlook.exe, potentially indicating malware activity such as NotDoor.This threat brief addresses a technique where a process other than Outlook modifies the PONT_STRING registry value within Outlook’s options. This modification disables certain dialog popups within Outlook, which can allow malicious scripts or actions to execute without user consent or notification. The activity is associated with malware families such as NotDoor. Attackers may leverage this to harvest email information or bypass security warnings. The technique involves modifying the Windows Registry key HKEY_CURRENT_USER\Software\Microsoft\Office\<version>\Outlook\Options\General\PONT_STRING.

Attack Chain

  1. An attacker gains initial access to the system (e.g., through phishing or exploiting a software vulnerability).
  2. The attacker executes a malicious program or script (e.g., PowerShell or VBScript).
  3. The malicious program identifies the Outlook installation and its corresponding registry path.
  4. The malicious program modifies the PONT_STRING value under the HKEY_CURRENT_USER\Software\Microsoft\Office\<version>\Outlook\Options\General\ key.
  5. This modification disables Outlook’s dialog popups.
  6. The attacker executes further malicious actions, such as harvesting email credentials or injecting malicious content into emails, without user prompts.
  7. Exfiltrate data.

Impact

Successful exploitation allows attackers to bypass security warnings and execute malicious code within the context of Microsoft Outlook. This can lead to unauthorized access to sensitive email data, credential theft, and the deployment of further malware. While the number of affected organizations is currently unknown, any organization using Microsoft Outlook is potentially at risk. Disabling Outlook dialogs is a common tactic used by malware families like NotDoor to facilitate data exfiltration.

Recommendation

  • Enable Sysmon Event ID 13 (Registry events) to monitor registry modifications, as indicated in the rule’s data_source.
  • Deploy the Sigma rule Outlook Dialogs Disabled by Non-Outlook Process to detect this specific registry modification. Tune the rule using the filter macro as described in the original source.
  • Investigate any registry modifications to the HKEY_CURRENT_USER\Software\Microsoft\Office\<version>\Outlook\Options\General\PONT_STRING key by processes other than Outlook.exe.
  • Implement application control policies to restrict the execution of unauthorized or unknown scripts and executables.
]]>highadvisoryoutlookregistry_modificationmalwarenotdoor