Attackers secretly accessed a senior executive’s Outlook mailbox at a major global stock exchange for five months, systematically copying sensitive emails and attachments. Symantec and Carbon Black’s Threat Hunter Team reported the campaign this week, noting the intrusion was focused on intelligence gathering rather than financial theft.
How the Attack Worked
The malicious activity first appeared on October 10, 2025, with attackers already running two system level binaries on the executive’s machine. One binary disguised itself as an Adobe updater while another impersonated OneDrive. By the time security tools detected any anomaly, the intruders had achieved full system control. Symantec confirmed that initial access likely came from lateral movement off a previously compromised device elsewhere on the network.
Stealth Data Extraction Methods
The operation began in earnest on November 12, 2025, when the attacker extracted a Dropbox API token and started uploading data using curl. The primary tool was a mailbox stealer built on Aspose, a legitimate .NET library capable of reading Outlook OST and PST files. This tool converted the mailbox to PST format and saved it locally. Each execution required a password and a date range. The first run captured everything from August 2025 onward. The attacker then returned every two to four weeks, taking only the incremental data since the last extraction. This pattern continued with eight additional pulls through February 17, 2026, creating a near continuous copy of the mailbox while keeping each batch small enough to avoid triggering security alerts. The stolen data was routed through Dropbox and OneDrive to blend in with normal cloud traffic.
Impact and Scope
The executive’s inbox contained non-public listing details, enforcement matters, deal terms, and market moving plans, along with calendar entries and contacts. Five months of quiet access gave the attacker deep insight into the executive’s dealings and the organization’s strategic direction without needing broader access to other business systems. Neither the executive nor the exchange has been publicly identified. The attackers remain unknown, and the initial compromise vector has not been determined.
Source: The Hacker News
