Cybersecurity researchers have uncovered a sophisticated espionage operation in which attackers maintained covert access to the Outlook mailbox of a senior executive at a major global stock exchange for at least five months.
The campaign, discovered by security researchers at Symantec and Carbon Black’s Threat Hunter Team, focused on intelligence gathering rather than financial theft. By quietly copying mailbox contents in small, recurring batches and routing the data through trusted cloud services such as Dropbox and OneDrive, the attackers were able to blend malicious activity into normal network traffic and remain undetected for an extended period.
A High-Value Intelligence Target
Although the identities of both the executive and the stock exchange remain undisclosed, the strategic value of such a target is significant.
A senior exchange executive’s mailbox can contain highly sensitive information, including:
- Non-public company listing details
- Regulatory and enforcement discussions
- Corporate merger and acquisition plans
- Market-moving announcements
- Internal communications
- Executive calendars and contact lists
Maintaining access for several months would have provided attackers with a detailed understanding of the executive’s activities, relationships, and future business initiatives without requiring broader access to corporate systems.
Timeline of the Intrusion
Researchers traced the earliest malicious activity to October 10, 2025. At that point, attackers were already operating with SYSTEM-level privileges on the compromised machine, indicating they had gained complete control before detection.
Two malicious binaries were observed masquerading as legitimate software components:
- An Adobe updater
- A Microsoft OneDrive process
The initial entry point remains unknown. However, investigators believe the compromise likely originated through lateral movement from another previously compromised system within the organization’s environment.
Mailbox Theft Operation Begins
The operation escalated on November 12, 2025, when attackers deployed a specialized mailbox extraction tool.
The malware leveraged Aspose, a legitimate .NET library commonly used to read and process Microsoft Outlook OST and PST files. By embedding the library within a custom executable, attackers were able to export mailbox contents into PST files for exfiltration.
The first execution captured all mailbox data dating back to August 2025.
Subsequent operations followed a highly disciplined schedule. Every two to four weeks, attackers returned and extracted only newly created email data since the previous collection cycle.
Researchers identified eight additional mailbox exports between November 2025 and February 17, 2026, effectively creating a near-continuous archive of the executive’s communications.
Using Cloud Services to Evade Detection
One of the most notable aspects of the operation was the attackers’ use of legitimate cloud storage services to conceal data exfiltration.
The threat actors utilized:
- Dropbox
- OneDrive Personal
Rather than relying on suspicious external infrastructure, they leveraged trusted platforms that organizations commonly allow through security controls.
Researchers also observed attackers connecting directly to hard-coded Microsoft IP addresses instead of using the standard OneDrive domain. This tactic eliminated DNS lookups that could have alerted perimeter monitoring systems to suspicious activity.
Advanced Stealth Techniques
To maintain persistence and avoid detection, attackers disguised scheduled tasks as legitimate software services associated with:
- Adobe
- Lenovo
- Microsoft OneDrive
These fake tasks helped conceal malicious operations among routine system processes.
The attackers also briefly experimented with the public file-sharing service temp.sh in November before abandoning its use.
The final recorded activity occurred on March 19, 2026, when a new backdoor was deployed but never executed. Researchers believe this may indicate that the attackers lost access to the environment shortly afterward.
Additional Tools Found During the Investigation
Symantec’s analysis revealed evidence of a broader intrusion toolkit beyond the mailbox-stealing malware.
The toolkit included:
FRPC
Used for creating encrypted tunnels and bypassing network restrictions.
Secretsdump
A credential extraction utility capable of retrieving Windows authentication data.
SharpDecryptPwd
Designed to recover saved passwords from applications and services.
User Account Control (UAC) Bypass Tools
Used to elevate privileges and avoid Windows security prompts.
Researchers noted that the report does not specify how each tool was used during this particular intrusion.
Attribution Remains Unclear
At this time, investigators have not attributed the operation to any known threat group.
The attackers relied heavily on publicly available tools and trusted cloud platforms, leaving few unique indicators that could tie the campaign to a specific actor.
Using services such as Dropbox and OneDrive for data exfiltration is a common tactic among advanced threat actors because it allows malicious traffic to blend seamlessly with legitimate business operations while complicating attribution efforts.
No Software Vulnerability Involved
Unlike many high-profile cybersecurity incidents, this attack was not linked to a newly disclosed software vulnerability or security flaw.
No CVE has been associated with the intrusion.
Instead, the incident highlights the growing importance of behavioral monitoring and threat detection. Traditional patching alone would not have prevented this attack, emphasizing the need for continuous visibility into privileged user activity and data movement.
Security Recommendations
Organizations that manage sensitive financial, regulatory, or market-moving information should strengthen monitoring capabilities and watch for indicators such as:
- Unexpected Outlook mailbox exports
- Unusual email access patterns
- Uploads to personal cloud storage accounts
- Unauthorized tunneling activity
- Credential dumping attempts
- Suspicious scheduled tasks masquerading as legitimate software
Early detection of these behaviors can help identify sophisticated espionage operations before significant data loss occurs.
Conclusion
This incident demonstrates how modern threat actors can conduct long-term espionage operations by combining legitimate software components, trusted cloud services, and stealthy persistence techniques. By quietly harvesting mailbox data over several months, the attackers gained valuable intelligence while remaining hidden within normal business traffic. As cyber espionage campaigns continue to evolve, organizations must focus not only on preventing intrusions but also on detecting subtle indicators of compromise that can persist for months without triggering traditional security alerts.
