Interesting write-up coming out of Lab52 where #APT28 (aka Fancy Bear) appear to be using a backdoor communicating through MAPI and Outlook, ie. using email as a C2-channel with base64 encoded instructions etc.
https://lab52.io/blog/analyzing-notdoor-inside-apt28s-expanding-arsenal/