LAB52 identified a backdoor that is using OneDrive to load a malicious version of sspicli.dll to drop a VBA backdoor and use Outlook to execute the macro.
Analyzing NotDoor: Inside APT28’s Expanding Arsenal
A threat actor can craft a malicious version of SSPICLI.dll, write the malicious dll to the same directory as OneDrive.exe and execute a malicious payload.
To test this, I created a benign DLL that could possibly be used for Detection Engineering testing. When loaded, it displays the following popup:
You can use Dependency Walker to see that OneDrive loads sspicli.dll
%LOCALAPPDATA%\\Microsoft\\OneDrive\\ or %ProgramFiles%\\Microsoft OneDrive\\