Hackers Spied on a Stock Exchange Executive's Outlook Mailbox for Five Months

Published:

4 juni 2026 om 09:33:57

Alert date:

4 juni 2026 om 10:00:56

Source:

thehackernews.com

Email & Messaging, Data Breach & Exfiltration, Critical Infrastructure

Unknown attackers conducted a sophisticated five-month espionage operation targeting a senior executive's Outlook mailbox at a major global stock exchange. The attackers systematically copied email data in small batches and exfiltrated it through cloud services including Dropbox and OneDrive to blend with normal network traffic. Symantec and Carbon Black's Threat Hunter Team identified this as an espionage campaign rather than financially motivated attack. The prolonged access and methodical data extraction suggests advanced persistent threat capabilities with potential market manipulation or insider trading motives.

Technical details

Attackers maintained 5-month access to stock exchange executive's Outlook mailbox, operating with SYSTEM privileges using fake Adobe updater and OneDrive binaries. Used Aspose .NET library-based mailbox stealer to convert OST/PST files, exfiltrated data in small batches every 2-4 weeks through Dropbox and OneDrive Personal. Connected to hard-coded Microsoft IP addresses instead of onedrive.live.com to avoid DNS detection. Deployed scheduled tasks disguised as Adobe, Lenovo, and OneDrive services. Used FRPC for tunneling, Secretsdump for credential harvesting, SharpDecryptPwd for password recovery, and UAC bypass tools.

Mitigation steps:

Monitor for unusual mailbox export activity, odd Outlook access patterns, uploads to personal Dropbox or OneDrive accounts, unexpected tunneling traffic, credential-dumping on systems tied to privileged users. Implement enhanced monitoring and response capabilities focused on detecting small-batch data exfiltration patterns.

Affected products:

Microsoft Outlook
Aspose .NET library
Dropbox
OneDrive Personal
Windows