Unknown attackers maintained long-term access to the Outlook mailbox of a senior executive at a major global stock exchange for at least five months, quietly exfiltrating data in small batches via Dropbox and OneDrive to blend in with normal cloud traffic.
According to Symantec’s Threat Hunter Team (Carbon Black), the activity strongly suggests espionage rather than financial theft, with command patterns pointing to intelligence gathering rather than monetisation.
The executive and the exchange were not named, but the compromise is significant: such inboxes typically contain sensitive listing information, regulatory communications, deal terms, and strategic planning data.
Initial intrusion activity dates back to 10 October 2025, when attackers were already operating with SYSTEM-level privileges on the compromised machine. Two disguised binaries mimicking Adobe and OneDrive processes were used to maintain control, though the original access vector remains unknown.
By November, attackers escalated operations by extracting a Dropbox API token and deploying a mailbox-stealing tool built on the legitimate Aspose .NET library, converting Outlook data files (OST/PST) into exported archives. The inbox was first fully extracted from August 2025 onwards, followed by repeated incremental extractions every two to four weeks until February 2026.
To avoid detection, the attacker relied heavily on blending techniques: scheduled tasks disguised as legitimate software (Adobe, Lenovo, OneDrive), and exfiltration through trusted cloud services like Dropbox and OneDrive Personal. In one case, OneDrive traffic was routed directly to Microsoft IPs rather than standard domains to bypass DNS-based monitoring.
Additional tools identified in the wider intrusion set included FRPC for tunnelling, Secretsdump for credential extraction, SharpDecryptPwd for password recovery, and utilities designed to bypass Windows User Account Control. However, the report does not confirm how all tools were deployed in this specific case.
No software vulnerability (CVE) was involved, highlighting that the breach relied on persistence, credential access, and stealth rather than exploiting a patchable flaw.
Attribution remains unclear, with the use of common tooling and commercial cloud services making it difficult to link the activity to a known threat actor. Analysts note that using services like Dropbox and OneDrive for exfiltration is a known tactic to evade perimeter detection and obscure malicious traffic.
For organisations handling sensitive financial or regulatory data, the indicators of compromise include unusual Outlook mailbox exports, abnormal cloud storage uploads, credential dumping activity, and tunnelling behaviour from privileged systems.