Cyber espionage campaign targeted stock exchange executive’s Outlook account
June 03, 2026 
Attackers spent five months silently stealing emails from a stock exchange executive’s Outlook account in a suspected espionage operation.
A threat actor quietly sat inside a senior executive’s Outlook account at a major global stock exchange for roughly 150 days, from October 2025 to March 2026.
Broadcom’s Symantec and Carbon Black threat-hunting team investigated the incident and published their findings this week. They don’t name the exchange, and they don’t attribute the attack to any known threat actor.
By quietly monitoring the mailbox, attackers could collect sensitive information on negotiations, internal discussions, calendars, contacts, travel plans, and potentially market-moving events. Researchers highlighted the case because it shows how a single compromised executive account can provide a detailed picture of an organization’s activities without attackers needing to move elsewhere on the network.
“For an espionage actor, a senior executive’s mailbox is a high-value intelligence target. An Outlook profile may yield details of external negotiations, internal deliberations, the executive’s calendar, travel pattern, and their contacts.” reads the report published by Broad Symantec. “Organizations such as exchanges and regulators may hold non-public information about listings, enforcement actions and market-moving events. Months of unfettered access to that mailbox lets an attacker build a near-complete picture of the target’s working life and the organization’s near-term direction without ever having to move laterally elsewhere on the network.”
According to the researchers, attackers are not financially motivated, the compromise is part of an intelligence operation.
The first signs of malicious activity appeared on October 10, 2025, though how the attacker got in initially remains unknown. At that point, two malicious binaries were already running on the host with SYSTEM-level privileges, disguised as Adobe Acrobat and OneDrive processes. The attacker had already done the hard part before anyone was watching.
The operation turned active on November 12, when command-and-control channels came online and data started moving. The tool at the center of everything was a wrapper around Aspose, a legitimate commercial .NET library that can parse Outlook mailbox files. The attacker used it to convert the executive’s OST file into a PST archive and push it out in dated chunks, each covering a window of a few weeks.
“Eight further OST-extraction runs followed at roughly two-to-four-week intervals through to February 17, 2026, each time with a -t window that adjoined the previous one.” continues the report. “The cumulative effect over the five months observed is a complete, near-continuous theft of the user’s Outlook mailbox, broken into incremental archives small enough not to draw attention from security software.”
Exfiltration went through Dropbox and OneDrive Personal to avoid rising suspicion. Both are services that appear in normal corporate traffic every day. The attacker also hardcoded Microsoft IP addresses instead of hostnames for OneDrive calls, which neatly bypasses DNS-based logging. That’s not a rookie move.
Persistence was a constant concern. The attacker re-registered scheduled tasks every few weeks under names mimicking Adobe, Lenovo, and OneDrive services. The task intervals rotated between 5-minute, 5-hour, 15-hour, and 24-hour windows. Each new registration overwrote the previous one, keeping the footprint minimal. On February 27, a new binary appeared masquerading as the OneDrive sync service; on March 19, another disguised as an Adobe driver component. The attacker kept refreshing their grip on the machine all the way to the end.
The identity of whoever is behind this stays unknown. The use of public tools, cloud infrastructure for both C2 and exfiltration, and no reuse of infrastructure tied to known groups all make attribution very difficult. What’s clear is that the operation was tightly scoped, technically disciplined, and almost certainly state-linked given the target and the patience involved.
Symantec and Carbon Black have published the full list of indicators of compromise, including file hashes for the mailbox stealer and the various masquerading executables, at security.com. If you run endpoint detection for a financial institution, regulator, or anyone else sitting on market-sensitive information, those hashes are worth feeding into your tooling today.
“The attackers’ focus throughout was on a single objective: long-term, incremental theft of the contents of a single Outlook mailbox, exfiltrated through Dropbox and OneDrive Personal in small batches over a period of five months to avoid raising suspicions or triggering alerts on the system.” concludes the report. “This was a tightly focused and highly targeted campaign, with five months being a significant dwell time for an attacker. It is notable to see the different techniques and approaches used by the attacker in order to stay under the radar and maintain persistent access.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, newsletter)
