A senior executive at a major global stock exchange had their Microsoft Outlook account silently compromised for five straight months, with attackers carefully siphoning emails in small batches to avoid detection.
The intrusion ran from October 2025 through at least March 2026, designed entirely around one single goal: stealing the complete contents of one person’s mailbox without raising an alarm.
It is a stark reminder of just how much sensitive intelligence sits inside a single high-ranking inbox. The attackers chose their target with clear intent. A stock exchange executive’s email holds far more than routine correspondence.
It can contain details of upcoming listings, enforcement actions, internal deliberations, calendar schedules, and market-moving events not yet made public.
Months of quiet, uninterrupted access to that kind of data gives an attacker a remarkable window into an organization’s near-term direction without ever touching any other system on the network.
Analysts from Symantec’s Threat Hunter Team, working alongside Carbon Black, identified the campaign and noted that the use of legitimate cloud infrastructure and publicly available tools made attribution to any known threat group impossible.
Symantec said in a report shared with Cyber Security News (CSN) that the commands and objectives observed throughout the campaign are consistent with espionage as the primary motivation.
The operational discipline on display was considered notable enough to warrant a public disclosure, despite the team’s standard practice of not publishing on single-victim incidents.
What made this campaign especially difficult to catch was how the attackers blended seamlessly into normal traffic. They relied exclusively on cloud services that any legitimate user might interact with daily, hiding their activity inside the kind of network noise that rarely triggers security alerts.
Over five months, they rebuilt persistence on the victim machine multiple times, continuously adapting their techniques to keep access alive.
Stock Exchange Executive’s Outlook Account Targeted
The initial access method was never confirmed, but by October 2025 attackers had already installed two masquerading binaries on the victim’s machine, both running with SYSTEM-level privileges.
The first posed as an Adobe update service (armsvc.exe), while the second impersonated a Microsoft OneDrive component (oneservice.exe). Both ran automatically via scheduled tasks, giving attackers a reliable foothold before the main theft operation ever began.
The core tool was built around Aspose, a legitimate .NET library for reading Outlook data files. Attackers used it to convert the executive’s offline Outlook storage file into a portable format, then quietly moved the output off the machine.
The tool was deployed under three different temporary filenames (ts_9ea0.tmp, ts_e0d5.tmp, ts_e2d5.tmp), all sharing the same file hash.
Starting with emails dating back to August 2025, each extraction run picked up precisely where the last one left off, building a near-complete copy of the entire mailbox over time. (See Figure 1: Attack Chain)
Exfiltration via Legitimate Cloud Infrastructure
The stolen data was funneled out through Dropbox and OneDrive using standard command-line tools that would look entirely normal on most enterprise systems.
For Dropbox, the attackers reused the same application credentials across every session, rotating only the short-lived authorization tokens.
For OneDrive, they bypassed DNS-based filtering entirely by making requests directly to hard-coded Microsoft IP addresses, ensuring no suspicious domain lookups appeared in perimeter logs.
In late November 2025, the attackers briefly tested a third channel by uploading files to a public temporary file-hosting service called temp.sh, but abandoned it after just a few attempts.
The campaign continued evolving through March 2026, when a fresh DLL (te.host.dll) and a new masquerading binary (armdriver.exe) were deployed, confirming the attackers were still active and refining their methods until the very end.
Organizations should monitor carefully for unusual scheduled task creations that use legitimate vendor names as cover, and flag bulk file transfers originating from mail data directories.
Restricting outbound connections to cloud storage APIs and enabling behavioral alerts tied to Outlook storage file access can help surface these long-dwell espionage campaigns before significant damage is done.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA256 | db59813e3f27fb8608a4876e758f60b69d9700dc22d15237ac095bb3166fb622 | Mailbox Infostealer |
| SHA256 | 1f385acf11f8ea6673d7295be6492ea9913b525da25dcc037ea49ef4f86a9d58 | SharpDecryptPwd |
| SHA256 | 2587217bc685527480c803ddf34a56ae9d9bf02681828a8a2081acc775312cf3 | FRPC |
| SHA256 | 6a69ea2ce3fea0ebfd7a32a1dfc4251bd4d7d8a4fbd44aaa47b82290d0414a9f | Masquerading executable (appsvc.exe) |
| SHA256 | 8b283c954d19a839a724961ccaf025c56988c4e745acb2d31a15a006cda072bf | Masquerading executable (sepservice.exe) |
| SHA256 | d78f64551d1b31a31e5998e442f0debd458e011e05019b3951d9ddde997f8384 | BypassUAC (bypassuac.exe) |
| SHA256 | 8c0871cd0f60bc603424e948a689945a1828d0bef926a6470ae18cf17d93f7cb | Masquerading executable (armsvc.exe) |
| SHA256 | cf731b82c471211938b210ae8a6dcc7ece4f44371e716f056fa05151a9910727 | Masquerading executable (armsvc.exe) |
| SHA256 | acf5ed6e5bb90c44683938f35efeca551428064cdedbbaab8be69e3474fb806f | Suspicious file (ss.exe) |
| SHA256 | 308351124c496d4f4effee65ab828506abf70385773c167ab1f32a7f030385ac | BypassUAC (bypassuac.exe) |
| SHA256 | c3405d9c9d593d75d773c0615254e69d0362954384058ee970a3ec0944519c37 | Secretsdump |
| SHA256 | 3b6cb20891bce8602ce669187754871e402a1782031ef8b032cd007e3894bc5d | Malicious executable (sidehost.exe) |
| SHA256 | d5e42104292513232d26ad7d9d317b5c779577da43e28fe27f8c2fb9318b0e8e | Malicious executable (sidehost.exe) |
| SHA256 | 3aae5a24e63f3cb1ca4759b9e4ee8e503ff139189423f5fd8cc923c6819697ca | Masquerading executable (sepservice.exe) |
| SHA256 | 611db3195d55e871dce67ce5c41e894bbaab88dd0d019af68f5a259f0108aef7 | Suspicious file (sddsvc.exe) |
| SHA256 | eaff006ac0eb7f7fe4db5fc6a4b5b1dc272d83ced66d510dcea185b1278bb453 | Masquerading executable (armsvc.exe) |
| SHA256 | 02048121fd0b3a51751ce7677155aa8818eba9d8ce67ea26fd1d7f43cfcdabd2 | Masquerading executable (armdriver.exe) |
| SHA256 | 6c700ca4e6d917c7aa9d964e98604a0349d9b8b4673df96a3f73a3d2d042635a | Malicious DLL (te.host.dll) |
| SHA256 | f72a8b71f12eaab6518873f72ea4be4572d9f3fb8e8706ade3b9a7314f236f22 | Masquerading executable (onedrivesync.exe) |
| SHA256 | 22f335a65c479c26019f6187dae290624117c82a702a96acbb04fa325f730d3e | Masquerading executable (oneservice.exe) |
| IP Address | 13.107.137.11 | Hard-coded Microsoft IP used for OneDrive exfiltration (DNS bypass) |
| IP Address | 150.171.41.11 | Hard-coded Microsoft IP used for OneDrive exfiltration (DNS bypass) |
| URL | https://temp.sh/upload | Temporary file-hosting service used briefly for exfiltration |
| File Name | ts_9ea0.tmp | Aspose-based OST mailbox stealer (temp folder variant) |
| File Name | ts_e0d5.tmp | Aspose-based OST mailbox stealer (tempskin folder variant) |
| File Name | ts_e2d5.tmp | Aspose-based OST mailbox stealer (tempskinlicenses folder variant) |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
