Executive Summary
Between October 2025 and March 2026, a sophisticated cyber espionage operation targeted a senior executive at a major global stock exchange, resulting in the compromise of the executive’s entire Outlook mailbox for approximately 150 days. The attackers maintained persistent, covert access, exfiltrating sensitive data in small, incremental batches using legitimate cloud storage services. The operation was discovered and analyzed by the Symantec and Carbon Black threat-hunting teams, who published technical indicators and a detailed timeline. The initial access vector remains unknown, and no specific vulnerability or exploit has been identified. The attackers demonstrated advanced operational security, using malware disguised as Adobe and OneDrive processes, scheduled task persistence, and cloud-based exfiltration to evade detection. The breach exposed highly sensitive, non-public information, including internal deliberations, negotiations, calendars, contacts, and potentially market-moving events. There is no evidence of lateral movement or broader network compromise, indicating a tightly scoped, intelligence-driven campaign. Attribution remains unconfirmed, but the operation’s discipline and patience suggest a state-linked actor. All technical findings are corroborated by multiple independent sources.
Technical Information
The incident involved a prolonged compromise of a senior executive’s Outlook mailbox at a global stock exchange. The attackers achieved SYSTEM-level access on the executive’s workstation, with the first signs of malicious activity detected on October 10, 2025. Two malicious binaries, disguised as Adobe Acrobat and OneDrive processes, were already running at this point, indicating that the attackers had established a privileged foothold before detection. The method of initial access remains unknown, with no evidence of phishing, vulnerability exploitation, or credential theft identified in the available forensic data (Security Affairs, OffSeq Radar, SecurityWeek).
Persistence was maintained through the repeated registration of scheduled tasks under names mimicking legitimate services such as Adobe, Lenovo, and OneDrive. These tasks were re-registered every few weeks, with intervals rotating between 5 minutes, 5 hours, 15 hours, and 24 hours. Each new registration overwrote the previous one, minimizing the forensic footprint and complicating detection. New persistence binaries appeared during the campaign, including one masquerading as the OneDrive sync service on February 27, 2026, and another as an Adobe driver component on March 19, 2026 (Security Affairs).
The attackers’ primary objective was the incremental theft of the executive’s Outlook mailbox. They used a wrapper around the legitimate Aspose .NET library to parse and extract mailbox data, converting the executive’s OST file into PST archives. Exfiltration began on November 12, 2025, when command-and-control (C2) channels came online and data movement started. Eight further mailbox extractions occurred at two-to-four-week intervals through February 17, 2026, each time covering a new window of mailbox data. This approach enabled near-continuous theft of the mailbox contents, broken into small archives to avoid triggering security alerts.
Data exfiltration was conducted via Dropbox and OneDrive Personal, both of which are commonly used in corporate environments and thus less likely to raise suspicion. The attackers hardcoded Microsoft IP addresses for OneDrive calls, bypassing DNS-based logging and further reducing the likelihood of detection. The use of legitimate cloud services for both C2 and exfiltration is a hallmark of advanced, stealthy operations (Security Affairs, OffSeq Radar).
The technical analysis by Symantec and Carbon Black identified file hashes for the mailbox stealer and the various masquerading executables, which have been published as indicators of compromise (IoCs) for use by defenders in the financial sector. No evidence was found of lateral movement or broader network compromise, indicating that the attackers were highly disciplined and focused solely on the executive’s mailbox.
Mapping the attack to the MITRE ATT&CK framework, the following techniques were observed: scheduled task persistence ([T1053.005]), masquerading ([T1036]), email collection via archive extraction ([T1114.002]), exfiltration to cloud storage ([T1567.002]), and use of application layer protocols for C2 ([T1071.001]). The attackers’ use of SYSTEM-level privileges, incremental exfiltration, and minimal forensic footprint are consistent with advanced persistent threat (APT) tradecraft.
Attribution remains unconfirmed. The operation used public tools, legitimate cloud infrastructure, and did not reuse infrastructure tied to known groups, making technical attribution difficult. However, the target profile, dwell time, and operational discipline strongly suggest a state-linked actor. No direct evidence links the operation to a specific country or threat group.
Affected Versions & Timeline
The incident affected a senior executive’s Outlook mailbox at a major global stock exchange. The specific version of Outlook or the underlying operating system is not disclosed in public reports. The compromise timeline is as follows: initial compromise was established by October 10, 2025, with malicious binaries running with SYSTEM privileges. Active exfiltration began on November 12, 2025, when C2 channels were activated and data movement started. Eight further mailbox extractions occurred between November 2025 and February 17, 2026, at intervals of two to four weeks. New persistence binaries appeared on February 27, 2026, and March 19, 2026. The attackers maintained access for approximately 150 days, from October 2025 to March 2026. Public disclosure of the incident occurred on June 3, 2026, following the publication of technical analysis and IoCs by Symantec and Carbon Black (Security Affairs, OffSeq Radar, SecurityWeek).
Threat Activity
The threat activity was characterized by a highly targeted, intelligence-driven campaign focused on the long-term, incremental theft of a single executive’s Outlook mailbox. The attackers demonstrated advanced operational security by using malware disguised as Adobe and OneDrive processes, maintaining persistence through scheduled tasks that mimicked legitimate services, and exfiltrating data via Dropbox and OneDrive Personal in small, dated chunks. The use of the Aspose .NET library enabled efficient extraction and archiving of mailbox data, while the hardcoding of Microsoft IP addresses for exfiltration calls bypassed DNS-based monitoring.
The attackers’ focus on a single high-value target, absence of lateral movement, and use of legitimate cloud services for exfiltration are consistent with advanced espionage operations. The compromised mailbox contained sensitive information, including internal deliberations, negotiations, calendars, contacts, travel plans, and potentially market-moving events. The operation’s discipline, patience, and technical sophistication suggest a state-linked actor, although no direct attribution has been made.
No evidence was found of broader network compromise, ransomware deployment, or financial motivation. The attackers’ objective was clearly intelligence collection, with the potential to undermine market integrity, regulatory actions, and organizational trust within the financial sector. The incident highlights the risk posed by single-account compromise in high-value targets and the need for robust detection and response capabilities.
Mitigation & Workarounds
Given the absence of a specific vulnerability or exploit, mitigation efforts should focus on detection, response, and hardening of executive email accounts and endpoints. The following recommendations are prioritized by severity:
Critical: Immediately review and apply the indicators of compromise (IoCs) published by Symantec and Carbon Black to all endpoints, especially those belonging to executives and personnel with access to market-sensitive information. Monitor for the presence of binaries masquerading as Adobe, OneDrive, or Lenovo processes, and for unusual scheduled tasks with similar names.
Critical: Conduct a comprehensive review of scheduled tasks on executive endpoints, looking for suspicious or frequently re-registered tasks that mimic legitimate services. Remove any unauthorized or anomalous tasks and binaries.
High: Enhance email account security by enforcing multi-factor authentication (MFA) for all executive and privileged accounts. Monitor for unusual mailbox activity, such as large or incremental data exports, and alert on anomalous access patterns.
High: Restrict the use of personal cloud storage services such as Dropbox and OneDrive Personal on corporate endpoints. Implement network controls to block unauthorized cloud storage traffic and monitor for data exfiltration attempts to known cloud service IP addresses.
High: Investigate all endpoints for evidence of SYSTEM-level privilege escalation and unauthorized binaries. Use endpoint detection and response (EDR) tools to hunt for the specific file hashes and behaviors described in the published IoCs.
Medium: Provide targeted security awareness training for executives and high-risk personnel, emphasizing the risks of phishing, credential theft, and malware infection.
Medium: Review and harden endpoint configurations to limit the ability of users and processes to register scheduled tasks or run unsigned binaries with elevated privileges.
Low: Regularly audit mailbox access logs and cloud storage usage for signs of unauthorized activity, and ensure that incident response plans are updated to address targeted espionage scenarios.
No specific patch or software update is applicable, as the incident involved credential compromise and malware infection rather than exploitation of a known vulnerability.
References
Security Affairs: https://securityaffairs.com/193086/intelligence/cyber-espionage-campaign-targeted-stock-exchange-executives-outlook-account.html
OffSeq Radar: https://radar.offseq.com/threat/hackers-target-global-stock-exchange-in-espionage--9876e090
SecurityWeek: https://www.securityweek.com/hackers-target-global-stock-exchange-in-espionage-operation/
About Rescana
Rescana provides a third-party risk management (TPRM) platform designed to help organizations in the financial sector and beyond identify, monitor, and respond to cyber threats targeting high-value assets and personnel. Our platform enables continuous assessment of vendor and partner risk, supports integration of threat intelligence and indicators of compromise, and facilitates rapid incident response coordination. For questions or further information, please contact us at ops@rescana.com.
