Stock Exchange Executive’s Outlook Mailbox Stolen in Five-Month Espionage Campaign
5 min. read 
Published on
Unknown attackers spent about five months inside the Microsoft Outlook mailbox of a senior executive at a major global stock exchange, slowly copying emails in small batches while routing the data through trusted cloud services. Broadcom’s Symantec and Carbon Black Threat Hunter Team said the activity appeared focused on espionage rather than quick financial theft.
The exchange, the executive, and the attackers have not been publicly named. Still, the target shows why executive email accounts remain high-value intelligence sources. One mailbox can expose negotiations, listings, enforcement matters, contacts, calendars, travel plans, and other sensitive business details.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The campaign started with signs of activity in October 2025 and remained active into March 2026. Investigators said the attackers copied the mailbox in repeated slices instead of taking everything in one noisy transfer, making the theft harder to spot with standard security tools.
How the Outlook mailbox theft worked
The first recorded malicious activity appeared on Oct. 10, 2025, according to the Security.com analysis. By then, two disguised binaries were already running with SYSTEM privileges on the compromised machine. One posed as an Adobe update service, while another impersonated a OneDrive-related component.
The main collection phase began on Nov. 12, 2025. The attackers used a Dropbox API token for cloud uploads and deployed a mailbox stealer built around Aspose, a legitimate .NET library that can read Outlook storage files.
The tool converted the victim’s offline Outlook data into files that could be uploaded later. The first run collected emails dating back to August 2025, then later runs picked up newer messages every two to four weeks. Broadcom described the result as a near-continuous theft of the executive’s Outlook mailbox.
| Date or period | Observed activity | Why it mattered |
| Oct. 10, 2025 | Malware was already running with SYSTEM privileges | The attacker had deep access before defenders observed the campaign |
| Nov. 12, 2025 | Mailbox collection and cloud exfiltration began | The first large email pull covered messages dating back to August 2025 |
| Late November 2025 | OneDrive Personal was added as a second exfiltration route | The attacker gained another trusted cloud channel |
| Feb. 17, 2026 | Last reported mailbox collection event | The theft had already produced a near-continuous copy of the mailbox |
| March 19, 2026 | New backdoor components were staged | The attackers were still attempting to maintain access |
Why the activity was hard to detect
The attackers leaned on services that many companies already allow. Dropbox handled most of the exfiltration, while OneDrive Personal appeared later as a secondary route. Reporting says the OneDrive traffic used hard-coded Microsoft IP addresses instead of the normal hostname, reducing the value of DNS-based blocking and logging.
They also tested temp.sh, a public temporary file-hosting service, but used it only briefly. The more durable pattern was cloud storage abuse combined with scheduled tasks that looked like normal vendor services. Those tasks used names tied to Adobe, Lenovo, and OneDrive to blend into the victim’s Windows environment.
Researchers did not attribute the operation to any known group. The Security.com report said the attackers used public tools and legitimate infrastructure, which left few clues that could link the campaign to a specific threat actor.
What security teams should monitor
This was not a simple phishing story and it was not a patchable Outlook zero-day. The stronger lesson is operational: attackers can turn one executive endpoint into a long-running intelligence source if mailbox access, cloud uploads, and scheduled task changes do not receive enough scrutiny.
- Watch for newly created scheduled tasks that imitate trusted vendors such as Adobe, Lenovo, Microsoft, or OneDrive.
- Flag repeated access to Outlook OST and PST files, especially when export activity appears on executive endpoints or uses libraries such as Aspose for Outlook storage files.
- Review outbound transfers from mail, profile, and temporary directories to personal cloud APIs, including the Dropbox API documentation patterns and OneDrive REST API traffic.
- Correlate unusual cloud uploads with endpoint alerts for credential dumping, tunneling tools, privilege escalation, and suspicious service creation.
- Apply stricter controls to executive devices, including cloud access policies, data loss prevention rules, and faster review of endpoint detection alerts.
Why this matters for financial organizations
Stock exchanges, regulators, banks, and public companies hold information that can move markets before it becomes public. A senior executive’s email account can contain enough context to map upcoming decisions, counterparties, deadlines, and internal priorities.
The campaign shows why attackers may prefer patience over noisy attacks. By taking small batches over months, they reduce the chance of triggering volume-based alerts. By using trusted cloud services, they hide inside traffic that security teams may treat as normal business activity.
For financial organizations, the response should focus on behavior rather than file names alone. Vendor-themed scheduled tasks, repeated mailbox exports, cloud uploads from unusual folders, and hard-coded IP connections can all point to a quiet espionage campaign before the damage becomes complete.
FAQ
Unknown attackers compromised the Outlook mailbox of a senior executive at a major global stock exchange and copied emails in small batches over several months. The campaign appeared focused on intelligence collection.
The attackers mainly used Dropbox for exfiltration and later added OneDrive Personal as a secondary route. They also briefly tested temp.sh, but reporting suggests they did not rely on it for long.
No specific threat group has been publicly named. Researchers said attribution was difficult because the attackers used legitimate cloud services, public tools, and infrastructure that did not clearly point to one known group.
Security teams should watch for suspicious scheduled tasks, unusual OST and PST file access, cloud uploads from mail or temporary folders, hard-coded IP connections, and endpoint alerts tied to credential dumping or privilege escalation.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages