APT28 Exploits Zero-Click Microsoft Office Flaw in European Espionage Campaign
In late January 2026, Russian state-backed hacking group APT28 (Fancy Bear) launched a targeted cyberespionage campaign against government and military organizations in Poland, Greece, and Ukraine, focusing on maritime and transport agencies. The attacks leveraged spear-phishing emails disguised as official communications, exploiting a newly discovered zero-click vulnerability (CVE-2026-21509) in Microsoft Office to bypass security measures.
Attack Methodology
The campaign began between January 28–30, 2026, with phishing emails using four primary lures:
- Weapons smuggling alerts
- Military training invitations
- Diplomatic requests from NATO/EU
- Urgent weather warnings
A notable error "Boarder Police" instead of "Border Police" hinted at non-native English speakers behind the operation. Attachments, such as "BULLETEN_H.doc", mimicked legitimate government documents with official logos.
Zero-Click Exploitation
The core of the attack exploited CVE-2026-21509, a flaw in Microsoft Office’s OLE (Object Linking and Embedding) handling. Unlike traditional macro-based attacks, this vulnerability allowed malware execution without user interaction. Upon opening the document:
- The exploit triggered a WebDAV connection to fetch the payload.
- A PNG-embedded malware (BeardShell) disguised as an image executed via a multi-stage infection chain.
- SimpleLoader ensured persistence, while Covenant, a command-and-control framework, communicated via filen.io, a legitimate cloud service, to evade detection.
Outlook Espionage Tool: NotDoor
APT28 also deployed NotDoor, a backdoor targeting Microsoft Outlook. The tool:
- Created hidden email forwarding rules for messages containing keywords like "secret" or "report."
- Silently exfiltrated copies to attackers before deleting evidence of the transfer.
Rapid Exploitation & Impact
The group demonstrated agility, weaponizing the vulnerability within hours of disclosure. The campaign underscored APT28’s ability to blend malicious activity with legitimate traffic, complicating detection. Organizations were urged to patch CVE-2026-21509 and monitor for unusual filen.io traffic or NotDoor-related Outlook rules.
The operation highlights the evolving sophistication of state-sponsored cyber threats, particularly in targeted espionage against critical infrastructure.
Source: https://gbhackers.com/microsoft-office/
Analytical Center for the Government of the Russian Federation cybersecurity rating report: https://www.rankiteo.com/company/analytical-center-for-the-government-of-the-russian-federation
"id": "ANA1770280566",
"linkid": "analytical-center-for-the-government-of-the-russian-federation",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "100",
"impact": "8",
"explanation": "Attack that could bring to a war"{'affected_entities': [{'industry': ['Maritime', 'Transport', 'Defense'],
'location': ['Poland', 'Greece', 'Ukraine'],
'type': 'Government and military organizations'}],
'attack_vector': ['Spear-phishing emails',
'Zero-click vulnerability exploitation'],
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['Microsoft Office documents', 'Emails'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Government communications',
'Military documents',
'Sensitive emails']},
'date_detected': '2026-01-28',
'description': 'In late January 2026, Russian state-backed hacking group '
'APT28 (Fancy Bear) launched a targeted cyberespionage '
'campaign against government and military organizations in '
'Poland, Greece, and Ukraine, focusing on maritime and '
'transport agencies. The attacks leveraged spear-phishing '
'emails disguised as official communications, exploiting a '
'newly discovered zero-click vulnerability (CVE-2026-21509) in '
'Microsoft Office to bypass security measures.',
'impact': {'data_compromised': 'Government and military communications, '
'sensitive documents',
'operational_impact': 'Espionage and data exfiltration',
'systems_affected': ['Microsoft Office', 'Microsoft Outlook']},
'initial_access_broker': {'backdoors_established': ['NotDoor (Outlook '
'backdoor)',
'BeardShell (malware)'],
'entry_point': 'Spear-phishing emails with '
'malicious attachments',
'high_value_targets': ['Government agencies',
'Military organizations',
'Maritime and transport '
'agencies']},
'lessons_learned': 'The campaign underscored APT28’s ability to blend '
'malicious activity with legitimate traffic, complicating '
'detection. Organizations must prioritize patching '
'zero-day vulnerabilities and monitoring for unusual '
'traffic patterns.',
'motivation': 'Espionage',
'post_incident_analysis': {'corrective_actions': ['Immediate patching of '
'CVE-2026-21509',
'Enhanced monitoring of '
'cloud services for '
'malicious traffic',
'Implementation of email '
'security measures to '
'detect phishing attempts',
'Regular security awareness '
'training for employees'],
'root_causes': 'Exploitation of zero-click '
'vulnerability (CVE-2026-21509) in '
'Microsoft Office, lack of timely '
'patching, and insufficient '
'monitoring of legitimate cloud '
'services (filen.io) for malicious '
'activity'},
'recommendations': ['Patch CVE-2026-21509 immediately',
'Monitor for unusual filen.io traffic',
'Check for NotDoor-related Outlook rules',
'Enhance email security and phishing awareness training'],
'response': {'enhanced_monitoring': 'Monitor for unusual filen.io traffic or '
'NotDoor-related Outlook rules',
'remediation_measures': 'Patch CVE-2026-21509, monitor for '
'unusual filen.io traffic or '
'NotDoor-related Outlook rules'},
'threat_actor': 'APT28 (Fancy Bear)',
'title': 'APT28 Exploits Zero-Click Microsoft Office Flaw in European '
'Espionage Campaign',
'type': 'Cyberespionage',
'vulnerability_exploited': 'CVE-2026-21509 (Microsoft Office OLE flaw)'}