APT28 Targeted European Entities Using Webhook-Based Macro Malware

The emergence of webhook‑driven macro attacks underscores a growing trend where sophisticated actors weaponize everyday internet services. APT28’s Operation MacroMaze leverages the simplicity of webhook.site—a free, globally accessible endpoint—to both confirm victim interaction and serve as a lightweight command‑and‑control channel. By embedding a URL in the document’s XML, the threat actor bypasses traditional network defenses that focus on malicious binaries, instead exploiting the trust placed in legitimate HTTP traffic. This approach mirrors other recent campaigns that co‑opt cloud storage, DNS, and social media platforms for stealthy communications.

Technically, the malicious macro initiates a multi‑stage payload chain that blends legacy scripting with modern browser automation. After the initial beacon, a VBScript creates a scheduled task for persistence, then launches Microsoft Edge either in headless mode or off‑screen, rendering a Base64‑encoded HTML page that pulls commands from the webhook and returns results via an HTML form submission. The evolution from headless execution to SendKeys‑based keyboard simulation reflects a deliberate effort to evade sandbox detection and user prompts. Additionally, the aggressive termination of competing Edge processes ensures a controlled environment, reducing the noise that could trigger behavioral analytics.

For security teams, the campaign highlights the need to broaden telemetry beyond file hashes and network signatures. Monitoring outbound HTTP requests to known webhook domains, correlating document‑opening events with subsequent process launches, and enforcing strict macro policies are essential countermeasures. Organizations should also consider implementing deception techniques that flag unexpected webhook traffic and employ endpoint detection solutions capable of recognizing headless browser activity. As threat actors continue to repurpose benign services for malicious ends, a proactive stance on trusted‑service abuse will be critical to safeguarding European enterprises.