Unknown attackers maintained prolonged access to the Outlook mailbox of a senior executive at a major global stock exchange for a period of at least five months, conducting a slow and controlled exfiltration of sensitive email data through cloud storage services. The operation, documented by Symantec and Carbon Black’s Threat Hunter Team, involved copying mailbox content in small batches and routing it through Dropbox and OneDrive to blend malicious traffic with legitimate cloud activity. Security researchers assess the activity as cyber espionage rather than financial theft, based on command patterns that indicate intelligence gathering and structured monitoring of communications rather than immediate monetization.
The intrusion reportedly began on October 10, 2025, when malicious activity was detected on a system already compromised with elevated SYSTEM level privileges. At that stage, attackers were operating two binaries disguised as legitimate software components, one impersonating an Adobe updater and another mimicking OneDrive. By the time defenders identified the activity, the attackers had already established full control of the endpoint, although the initial entry vector remains unknown. Symantec’s analysis suggests that the attackers likely expanded access through lateral movement from a previously compromised device, allowing them to reach the executive’s workstation and maintain persistent access without triggering immediate detection.
On November 12, the attackers escalated their operation by retrieving a Dropbox API token and initiating structured data uploads using curl commands. They deployed a mailbox extraction tool built on Aspose, a legitimate .NET library designed for reading Outlook OST and PST files. The tool was wrapped in an executable that converted mailbox data into PST format and saved it locally before exfiltration. Each execution was carefully controlled using password parameters and date range flags, allowing attackers to repeatedly extract only new email data over time. The initial extraction captured emails from August 2025 onward, followed by repeated accesses every two to four weeks until February 17, 2026, ensuring continuous surveillance of the executive’s communications without raising significant alarms.
To maintain stealth, the attackers relied heavily on disguising malicious activity as legitimate system behavior. Scheduled tasks were configured to impersonate trusted applications such as Adobe, Lenovo, and OneDrive system services. For data exfiltration, Dropbox and OneDrive Personal accounts were used as outbound channels, making malicious traffic appear as normal cloud synchronization activity. In one instance, OneDrive connections were routed through hard coded Microsoft IP addresses instead of standard OneDrive domain resolution, effectively bypassing DNS based monitoring tools. The attackers also briefly tested the file sharing platform temp.sh before abandoning it. The final recorded activity occurred on March 19, 2026, when a new backdoor was staged but not executed, which analysts suggest may indicate loss of access or disruption of attacker infrastructure.
Symantec’s findings also highlight the presence of a broader intrusion toolkit beyond mailbox extraction, including FRPC for traffic tunneling, Secretsdump for extracting Windows credentials, SharpDecryptPwd for recovering stored application passwords, and tools capable of bypassing Windows User Account Control protections. While the report does not confirm how each tool was deployed in this specific case, their presence suggests a well equipped operator capable of multi stage compromise and credential harvesting. Researchers noted that no software vulnerability or CVE was involved in the breach, reinforcing that the intrusion was driven by access abuse and persistence rather than exploitation of a newly disclosed flaw. Attribution remains unresolved due to the use of public tools and consumer cloud services, a tactic commonly used to obscure origin and complicate forensic tracing in high value espionage operations targeting financial institutions and exchange executives.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
