A senior executive at a major global stock exchange had their Microsoft Outlook account compromised for five months, with attackers exfiltrating emails in small batches to avoid detection. The intrusion, spanning from October 2025 to at least March 2026, aimed to steal the complete contents of the executive’s mailbox without raising alarms.
This incident underscores the sensitivity of high-ranking officials’ inboxes, which often contain details about upcoming listings, enforcement actions, internal deliberations, and market-moving events. Prolonged access to such information provides attackers with significant insights into an organization’s operations without needing to breach other systems.
Analysts from Symantec’s Threat Hunter Team, in collaboration with Carbon Black, identified the campaign. They noted that the use of legitimate cloud infrastructure and publicly available tools made it challenging to attribute the attack to any known threat group. Symantec reported that the observed commands and objectives suggest espionage as the primary motivation. The operational discipline displayed was significant enough to warrant public disclosure, despite the team’s usual practice of not publishing single-victim incidents.
The attackers blended seamlessly into normal traffic by relying exclusively on cloud services commonly used by legitimate users, making their activities difficult to detect. Over five months, they repeatedly reestablished persistence on the victim’s machine, continuously adapting their techniques to maintain access.
While the initial access method remains unconfirmed, by October 2025, attackers had installed two masquerading binaries on the victim’s machine, both running with SYSTEM-level privileges. The first posed as an Adobe update service (armsvc.exe), and the second impersonated a Microsoft OneDrive component (oneservice.exe). Both were set to run automatically via scheduled tasks, providing a reliable foothold before the main data theft began.
The core tool utilized Aspose, a legitimate .NET library for reading Outlook data files. Attackers used it to convert the executive’s offline Outlook storage file into a portable format, then quietly moved the output off the machine. The tool was deployed under three different temporary filenames (ts_9ea0.tmp, ts_e0d5.tmp, ts_e2d5.tmp), all sharing the same file hash. Starting with emails dating back to August 2025, each extraction run picked up where the last left off, gradually building a near-complete copy of the entire mailbox.
The stolen data was exfiltrated through Dropbox and OneDrive using standard command-line tools that would not typically raise suspicion. This method of using legitimate cloud services for data exfiltration highlights the evolving tactics of cyber attackers, who increasingly leverage trusted platforms to mask their activities.
According to Cyber Security News, this incident serves as a stark reminder of the critical need for robust security measures, especially for high-level executives whose communications can be of immense value to cybercriminals. Organizations must implement advanced monitoring and anomaly detection systems to identify and respond to such sophisticated threats promptly.
Source: Cyber Security News
