TL;DR APT28’s Operation MacroMaze uses macro-laced Office docs and legitimate webhook services to exfiltrate data undetected. Here’s how it works and why your defenses are probably missing it.
Alright, pull up a chair, because this one is actually clever — which is more than I can say for most of the brain-dead ransomware slop I cover. APT28, Russia’s GRU-linked threat group also known as Fancy Bear, has been running an espionage campaign dubbed “Operation MacroMaze” and it’s been hitting European targets with macro-laced Office documents that exfiltrate data through legitimate webhook services. The kind your IT team almost certainly doesn’t flag because they’re used for perfectly normal business purposes. Sneaky bastards.
What Operation MacroMaze Actually Does
According to Security Affairs’ detailed writeup, APT28 sends targets phishing emails with weaponized Office documents containing embedded VBA macros. Nothing new there — macro-based phishing has been around since the 1990s. The twist is in the exfiltration method. Instead of calling back to an obvious command-and-control server that any halfway competent threat intel team would have on a blocklist, MacroMaze routes stolen data through legitimate webhook services like webhook.site and similar platforms.
Why does this matter? Because webhook.site is not malware. It’s used by developers to test integrations. It’s used by security teams for their own tooling. Blocking it would break legitimate workflows. So traffic to webhook.site typically sails straight through corporate web proxies, DLP systems, and firewall egress rules without raising an eyebrow. The stolen data — documents, credentials, session tokens — gets POST-ed to an attacker-controlled endpoint on a legitimate platform, and from there it disappears into APT28’s collection infrastructure.
SOCPrime’s analysis of Operation MacroMaze notes the campaign has targeted government bodies, defence contractors, and think tanks across Europe, with a focus on NATO-member countries. Given the ongoing geopolitical situation, that targeting profile requires zero explanation.
The ProSec Networks technical breakdown adds that the macros are obfuscated well enough to evade most signature-based antivirus detection, and that the document lures are carefully crafted to match the professional context of the target — defence policy papers, budget documents, conference invitations. Classic APT social engineering.
Why This Is Harder to Catch Than It Looks
Most organizations’ defences are calibrated for commodity threats. Ransomware gangs using known C2 infrastructure. Malware phoning home to domains with a 3-day registration history. ShinyHunters doing noisy bulk exfiltration. APT28 is not a commodity threat. They have time, patience, and operational security discipline that puts most corporate security teams to shame.
The webhook exfiltration technique specifically exploits a gap that’s present in almost every corporate security architecture: the assumption that traffic to known-good destinations is safe. Your proxy logs a POST request to webhook.site. Does your SIEM have a rule to alert on large POST payloads to that domain originating from a workstation rather than a development server? Almost certainly not. Does your DLP inspect the content of those requests? Maybe, if it’s deployed inline and actually tuned. Probably not in practice.
The macro delivery method is similarly well-calibrated. Yes, Office macros should be disabled in Group Policy for all corporate endpoints. Microsoft has even started disabling them by default in recent Office versions. But plenty of organizations still have exceptions in place — for finance teams running complex Excel models, for external document workflows, for legacy compliance systems that somebody built in 2012 and nobody wants to touch. APT28 knows this. They’ve been running macro campaigns since before most of your security analysts graduated.
I covered the trajectory of AI-augmented cyberattack in my post on how Chinese state hackers weaponized Claude AI for 80-90% autonomous espionage campaigns. MacroMaze is the manually-crafted, patient variant of that same ambition — targeted, stealthy, and designed for long-term persistence rather than quick monetization. Different threat actor, same fundamental problem: your detection architecture is calibrated for threats that announce themselves.
The Geopolitical Context
Let’s not pretend APT28 is operating in a vacuum. This is GRU — Russian military intelligence. Operation MacroMaze targeting European government and defence organisations in early 2026 is not random. Russia’s strategic intelligence collection appetite in the current environment is, to use a technical term, enormous. As I’ve written about in academic work including Trump’s Five Percent NATO Ruse, the current NATO burden-sharing debate has created genuine intelligence value in knowing where different European capitals stand privately on defence commitments, budgets, and political will. That’s exactly what a macro-based document-stealing campaign targeting government think tanks and defence ministries would harvest.
This is not paranoia. This is how state-sponsored intelligence collection works, and it’s been documented extensively. As I laid out in Dominance on the Digital Battlefield, cyber espionage operations are the cheapest, highest-yield form of strategic intelligence collection available to nation-states today. MacroMaze is a textbook example of that doctrine in practice.
What You Need to Fix
If you’re in any organisation that handles government, defence, or politically sensitive information — or if you have employees who do — here’s your immediate action list:
Disable VBA macros via Group Policy. Microsoft has been pushing this for years. If you still have broad macro exceptions in your Office deployment, audit them this week. Every exception should have a documented business justification and a named owner. Remove any that don’t.
Block or monitor webhook services at egress. You probably don’t need your general corporate workforce posting data to webhook.site. Add it to your proxy watchlist. Alert on large POST payloads to any webhook-as-a-service platform — webhook.site, pipedream.net, hookbin.com, etc. — from non-development endpoints.
Tune your DLP for egress, not just ingress. Most DLP deployments I’ve seen are configured to stop sensitive data coming in (malware downloads) rather than going out. The exfiltration path in MacroMaze goes out. Your DLP needs to inspect and alert on large outbound POST payloads regardless of destination domain reputation.
Contextual awareness training for document handling. The MacroMaze lures are well-crafted. Generic “don’t click links” phishing training won’t catch these. Train your users to verify the source of any document that requests macro execution, especially documents that arrive via email and relate to current geopolitical topics. APT28 reads the news. So should your staff’s threat awareness programme.
Check your macro execution logs. If you’re running Microsoft Defender for Endpoint or any decent EDR, go pull the last 30 days of macro execution events. Anything unexpected — documents opened by senior staff with macro content that wasn’t generated internally — warrants investigation.
As I documented in my post on Notepad++ Update Traffic Hijacked by Chinese State Hackers, state actors are systematically targeting trusted software delivery channels and workflow integrations — exactly the “known-good” traffic channels your security tools wave through without inspection. MacroMaze is the same doctrine applied to document workflows.
The Call-Out
APT28 has been around since at least 2007. They’ve breached the Democratic National Committee, the German Bundestag, the French election infrastructure, the Ukrainian power grid, and about a hundred other high-profile targets. They are not amateurs. They are not going away. And they’ve now demonstrated a technique — legitimate webhook exfiltration — that will be copied by every halfway competent espionage operator on the planet within 18 months.
If you’re a European government body, a NATO-aligned defence contractor, or a think tank that produces content on Russia, Ukraine, or European security policy, you should assume you are in APT28’s target set. Act accordingly. Waiting for an incident before caring is not a strategy.
