APT Spied on Stock Exchange Exec's Outlook Mailbox for 5 Months

Unknown attackers maintained undetected access to the Outlook mailbox of a senior executive at a major global stock exchange for at least five months, systematically exfiltrating correspondence in small, repeated batches routed through Dropbox and OneDrive to blend with normal cloud traffic. Symantec and Carbon Black's Threat Hunter Team disclosed the campaign this week, confirming that command-and-control behavior pointed to intelligence collection rather than financial theft. Neither the executive nor the exchange has been named, but the intelligence value is clear: non-public listing details, enforcement matters, deal terms, market-moving plans, executive calendars, and contact networks are all routinely housed in such an inbox. Organizations concerned about exposure of executive credentials can verify accounts with an email breach checker, while security teams can use a WHOIS lookup to investigate suspicious cloud service domains used for exfiltration.

The intrusion timeline began on October 10, 2025, when the attacker was already running two binaries as SYSTEM—one impersonating an Adobe updater and another masquerading as OneDrive. Symantec investigators determined that initial access likely stemmed from lateral movement off a previously compromised device, with the true entry vector still undetermined. The operation escalated on November 12, when the attacker harvested a Dropbox API token, began staging data with curl, and deployed a custom mailbox stealer built on Aspose, a legitimate .NET library capable of parsing Outlook OST and PST files. The first run extracted all mailbox content from August 2025 forward, and subsequent executions followed every two to four weeks through February 17, 2026, each run targeting only the date range since the last pull. This incremental approach produced a near-complete copy of the mailbox while staying beneath security tooling thresholds, similar in tradecraft to advanced persistent threat operations documented in prior Symantec threat intel reports.

The attacker emphasized operational security throughout. Scheduled tasks were disguised as Adobe, Lenovo, and OneDrive system services. Exfiltration leveraged Dropbox and OneDrive Personal, and for OneDrive specifically, the malware connected to hard-coded Microsoft IP addresses rather than resolving onedrive.live.com—eliminating DNS lookups that perimeter monitoring tools could detect. This DNS-avoidance technique highlights why defenders should still run a DNS leak test on internal endpoints to surface anomalous resolution behavior, and why even hardened network monitoring can miss cloud-bound traffic that uses direct IP routing. The attacker also briefly tested temp.sh as a public file host in November before abandoning it. The last observed activity, on March 19, 2026, was a staged but never-executed backdoor, which researcher Elias suggested may indicate the actor lost access shortly thereafter.

Published indicators reveal a broader intrusion kit beyond the mailbox stealer. The toolkit included FRPC for tunneling outbound traffic, Secretsdump for extracting Windows credentials, and SharpDecryptPwd for recovering saved application passwords—tools commonly associated with post-exploitation credential harvesting. These capabilities suggest the attacker was positioned to move deeper into the environment had access persisted, including bypassing Windows User Account Control protections. Given the credential theft components, security teams and executives should immediately run any exposed passwords through a password checker and consider rotating credentials stored in browser password managers and Outlook. The campaign underscores how long-dwell, low-noise espionage against high-value targets can evade detection for months when attackers abuse legitimate cloud services and reputable development libraries like Aspose to mask malicious intent.