Cybersecurity researchers have uncovered a persistent espionage campaign that saw unknown attackers maintain access to a senior stock exchange executive's **Outlook** mailbox for at least five months. The breach, detailed by **Symantec** and **Carbon Black**'s Threat Hunter Team, involved the stealthy exfiltration of the executive's entire inbox, routed through consumer cloud services to mask malicious activity. ### Covert Data Exfiltration The attackers meticulously copied the mailbox content in small, repeated batches, ensuring the traffic blended seamlessly with normal cloud operations. This method, combined with the use of legitimate services like **Dropbox** and **OneDrive**, underscores a deliberate effort to remain undetected and complicate attribution. The nature of the compromised data – potentially including non-public listing details, enforcement matters, deal terms, and market-moving plans – strongly suggests an intelligence-gathering objective over financial theft. ### Deep-Seated Access and Unclear Origins The initial malicious activity was observed on October 10, 2025, by which point the attackers had already achieved SYSTEM-level privileges on the executive's machine. They deployed binaries disguised as **Adobe**'s updater and **OneDrive**, indicating a deep compromise. While the initial point of entry remains unknown, **Symantec** suggests it likely stemmed from lateral movement within the network, originating from a previously compromised device. The operation escalated on November 12, with the attackers obtaining a **Dropbox** API token and beginning data uploads via `curl`. Their primary tool for exfiltration was a custom mailbox stealer built on **Aspose**, a legitimate .NET library used for reading **Outlook** OST and PST files. This tool was run periodically, extracting new email data in specific date ranges, ensuring a near-continuous, yet discreet, copy of the mailbox. ### Evasive Tactics and Tooling To maintain stealth, the attackers configured scheduled tasks to mimic legitimate system services from **Adobe**, **Lenovo**, and **OneDrive**. For **OneDrive** exfiltration, they connected directly to hard-coded **Microsoft** IP addresses, bypassing DNS lookups that perimeter tools might monitor or block. While they briefly tested the public file host `temp.sh`, they abandoned it for the more covert cloud services. Further analysis of the intrusion revealed a broader toolkit, including **FRPC** for tunneling traffic, **Secretsdump** for extracting Windows credentials, **SharpDecryptPwd** for recovering saved application passwords, and a tool to bypass Windows User Account Control (UAC). The use of public tooling and consumer cloud services has, so far, prevented definitive attribution to a specific threat actor group. ### Beyond Patches: The Monitoring Imperative This incident is particularly noteworthy because it did not involve the exploitation of a newly disclosed vulnerability or a **CVE**. Instead, it was a targeted intrusion against a person's mailbox, emphasizing that traditional patching alone cannot mitigate such threats. The burden of defense shifts squarely to robust monitoring and rapid response capabilities. For IT security professionals protecting organizations with market-moving information – such as exchanges, regulators, or financial firms – vigilance is paramount. Key indicators of compromise include unusual mailbox export activity, suspicious **Outlook** access patterns, uploads to personal **Dropbox** or **OneDrive** accounts, unexpected tunneling, and credential-dumping on systems used by privileged users. Proactive monitoring for these behaviors is crucial to detect and thwart similar sophisticated espionage attempts.