Every few months, the cybersecurity world is jolted by a new backdoor, exploit, or malware strain that slips past traditional defenses. The recent discovery of NotDoor—a backdoor targeting Microsoft Outlook developed by Russia’s APT28 (aka Fancy Bear)—is one such wake-up call. As detailed in DarkReading’s coverage of the attack, NotDoor abuses Outlook by monitoring for a trigger string in incoming emails, then exfiltrating data or executing commands once activated. Dark Reading
What makes NotDoor particularly insidious is how it evades conventional detection methods: by hiding within a signed binary (OneDrive.exe) and relying on macro-level triggers in email content, the malware can remain dormant until the right conditions are met. In other words, it doesn’t constantly hammer endpoints with noisy, observable behavior. It waits—and then when triggered, it acts.
This kind of attack underscores a sobering truth: relying primarily on detection and response is no longer enough.
For years, the dominant endpoint security model has been “detect, respond, remediate.” In practice, that means continuously monitoring systems for malicious behavior, raising alerts, investigating, and then cleaning up after the fact.
But advanced adversaries like APT28 have shifted the game:
Dormant activation: NotDoor doesn’t immediately trigger malicious behavior. It lies in wait until it sees a trigger string. That makes detection harder.
Legitimate code abuse: The malware leverages a signed binary (OneDrive.exe) to load a malicious DLL (SSPICLI.dll), sidestepping many signature-based defenses.
Low overhead operations: The actions once triggered (exfiltration via email attachments, file uploads) are subtle and can be masked within normal traffic flows.
Deletion of trigger email: The attackers delete the original triggering email to reduce forensic trace.
In short, by the time traditional systems detect something suspicious, damage may already have been done.
This is not to say “detect & respond” has no value. But we must no longer lean on it as the last line of defense—we must aim to stop malicious activity before it can spread.
To outpace threats like NotDoor, organizations must adopt a security posture that emphasizes isolation and containment. The idea is straightforward: if an attacker does manage to penetrate an endpoint or inject malicious code, the system's architecture should prevent that threat from traversing or affecting other parts of the environment.
Key principles of this model include:
Least privilege and micro-segmentation – Restrict what each process or application can do, and compartmentalize functions so a breach in one area doesn’t cascade.
Runtime containment – When suspicious behavior or process anomalies occur, the system should isolate that process and its children rather than waiting for a full alert and human investigation.
Zero-trust for internal behavior – Even internal applications should not implicitly trust each other; communications should be controlled, segmented, and limited.
Behavioral minimization – Reduce what each agent can do, cutting the “attack surface” that even a dormant payload might exploit.
Put more simply: rather than chasing threats as they show themselves, you build an architecture where threats cannot easily move or cause damage even if they exist.
With a 10-year track record of deployment in high-security environments (defense, critical infrastructure, government), AppGuard is a proven endpoint protection solution built with isolation and containment at its core. Now available for commercial use, it offers the defenses businesses need against advanced threats like NotDoor.
Here’s how AppGuard addresses the challenges:
Containment by default: Every process (and child processes) runs in a constrained execution space. If something abnormal attempts to perform sensitive operations, AppGuard isolates that behavior instantly.
Zero reliance on detection signatures: Instead of chasing patterns or known signatures, AppGuard enforces policies and constrains behavior regardless of how novel a threat is.
Fast remediation and rollback: If a process is isolated, AppGuard can revert changes quickly and restore a clean state without needing extensive investigation or manual cleanup.
Proven maturity: A decade of deployment in demanding environments has refined AppGuard’s stability, scalability, and resilience.
Commercial readiness: Today’s businesses can adopt what was once limited to government and critical infrastructure, bringing enterprise-grade containment to their endpoints.
By shifting your endpoint security from “detect & respond” to “isolation & containment,” AppGuard helps you stay ahead of adversaries who are constantly innovating.
Reassess your endpoint strategy: If your primary defense is signature-based detection tools supplemented by EDR, understand that threats like NotDoor may slip through.
Adopt a containment-centric approach: Look for solutions that can isolate suspect behavior in real time rather than merely flag it.
Pilot AppGuard in critical segments: Start with a subset of endpoints (e.g. high-value systems) to validate before broader rollout.
Train your security team: The mindset must shift—from chasing alerts to managing containment zones.
Measure success differently: Focus on prevented lateral movement, containment efficacy, and time to rollback—not just number of alerts.
The NotDoor incident is more than just a headline—it’s a warning. Detection and response alone are no longer sufficient in the face of advanced adversaries like APT28.
At CHIPS, we believe that businesses must move to a prevention posture grounded in isolation and containment. If you’re a business owner or security leader, talk to us about how AppGuard can defend your environment before compromise spreads.
Let’s discuss how to shift your security from “detect & respond” to “isolate & contain.” Reach out to CHIPS today—don’t wait for your organization to become the next test case.
Like this article? Please share it with others!