Operation MacroMaze: APT28 Exploits Webhooks for Covert Data Exfiltration

The MacroMaze operation highlights a shift in APT28’s tradecraft toward minimalist, infrastructure‑agnostic techniques. By exploiting the INCLUDEPICTURE field, the group turns a harmless Word feature into a reliable beacon, allowing real‑time visibility into victim interaction without triggering traditional sandbox alerts. This approach sidesteps complex exploit chains, instead relying on publicly available webhook services that blend into normal network traffic, complicating threat‑intel attribution and incident response.

Beyond the initial beacon, the macro payload orchestrates a multi‑stage drop chain that writes six distinct scripts—VBS, BAT, CMD, HTM, XHTML—into the user’s profile with GUID‑style filenames. The scripts concatenate strings to obscure commands, spawn a VBScript launcher, and register a scheduled task for long‑term persistence. By employing Edge in headless mode, the final HTML payload auto‑submits a form containing command output directly to the webhook endpoint, leaving virtually no forensic footprint on disk. This browser‑based exfiltration leverages native HTML capabilities, rendering many endpoint detection solutions ineffective.

For security teams, MacroMaze underscores the necessity of macro hardening, webhook traffic monitoring, and behavioral analytics that flag anomalous Office document activity. Traditional signature‑based defenses may miss the benign‑looking webhook URLs, while the use of legitimate browsers for data exfiltration evades network‑level controls. Organizations should enforce strict macro policies, deploy sandboxing that emulates full Office rendering, and implement outbound webhook egress filtering to mitigate similar low‑tech yet highly effective espionage campaigns.