Hackers Spied on a Stock Exchange Executive's Outlook Mailbox for Five Months

Summary

Unknown attackers maintained persistent access to a senior executive's Outlook mailbox at a major global stock exchange for at least five months, exfiltrating data through Dropbox and OneDrive to evade detection. The campaign, discovered by Symantec and Carbon Black's Threat Hunter Team, used legitimate tools (Aspose library, FRPC, Secretsdump, SharpDecryptPwd) and scheduled tasks masquerading as legitimate services to copy mailbox contents in small batches every two to four weeks. The operation indicates intelligence collection targeting non-public market information rather than financial theft.

Full text

Hackers Spied on a Stock Exchange Executive's Outlook Mailbox for Five Months Swati KhandelwalJun 04, 2026Cyber Espionage / Malware Unknown attackers spent at least five months inside the Outlook mailbox of a senior executive at a major global stock exchange, copying the inbox out in small, repeated batches and routing it through Dropbox and OneDrive so the traffic blended into normal cloud activity. Symantec and Carbon Black's Threat Hunter Team reported the campaign this week. This points to espionage, not a money grab: Symantec said the commands indicate intelligence collection, not theft for profit. Neither the executive nor the exchange was named. The value is plain enough: an exchange executive's inbox can hold non-public listing details, enforcement matters, deal terms, market-moving plans, plus the executive's calendar and contacts. Five months of quiet access handed the attacker a detailed read on the executive's dealings and where the organization was heading, without needing broad access to other business systems. The first malicious activity showed up on October 10, 2025. By then, the attacker was already running two binaries as SYSTEM, the highest Windows privilege level, one faking Adobe's updater and the other faking OneDrive. By the time defenders noticed anything, the intruder had full control of the machine, and how they first got in is still unknown. However, Symantec confirmed that the first signs likely came from lateral movement off a previously compromised device. The operation kicked into gear on November 12. The attacker pulled a Dropbox API token, started uploading data with curl, and deployed the main tool: a mailbox stealer built on Aspose, a legitimate .NET library that reads Outlook OST and PST files. Wrapped in an executable, it converted the mailbox to PST and wrote it to disk, run each time with a password and a date-range flag. The first run grabbed everything from August 2025 on. After that the attacker came back every two to four weeks, each run taking only the days since the last one, eight more pulls through February 17, 2026. The result is a near-continuous copy of the mailbox, sliced thin enough not to draw attention from security software. The stealth came from making the work look ordinary. Scheduled tasks posed as Adobe, Lenovo and OneDrive system services. For exfiltration the attacker used Dropbox and OneDrive Personal, and for OneDrive they connected to hard-coded Microsoft IP addresses instead of the onedrive.live.com hostname, so there were no DNS lookups for a perimeter tool to catch or block. The attacker also tested the public file host temp.sh once in November, then dropped it. The last observed activity, on March 19, 2026, was a new backdoor that was staged but never run, which Elias said may mean the attacker lost access soon after. Symantec's published indicators point to a wider intrusion kit, not just a mailbox grabber: FRPC for tunneling traffic out, Secretsdump for pulling Windows credentials, SharpDecryptPwd for recovering saved app passwords, and a tool to bypass Windows User Account Control. The report does not say how each was used here, and none of them point to a specific group. There is no CVE in this story. It was an intrusion against a person's mailbox, not the exploitation of a freshly disclosed flaw, which is part of why it is worth reading: no patch closes this, and the burden shifts to monitoring and response. Attribution is unresolved too. The mix of public tooling and consumer cloud services left little to tie the activity to a known actor, and that stays open until a stronger source says otherwise. Routing exfiltration through Dropbox and OneDrive to blend in is a well-worn play, and one Microsoft has flagged as a deliberate way to slip past perimeter defenses and muddy attribution. If you defend an exchange, a regulator, or any firm sitting on market-moving information, feed the hashes in now and watch for the behavior behind them: unusual mailbox export activity, odd Outlook access, uploads to personal Dropbox or OneDrive accounts, unexpected tunneling, and credential-dumping on systems tied to privileged users. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Credential Theft, cyber espionage, cybersecurity, data exfiltration, dropbox, Malware, OneDrive, Outlook, Stock Exchange, Symantec ⚡ Top Stories This Week Google June 2026 Android Update Patches 124 Flaws, One Actively Exploited Oracle WebLogic CVE-2024-21182 Added to KEV Catalog After Active Exploitation Dashlane Discloses Brute-Force Attack, Encrypted Vaults of Fewer Than 20 Users Downloaded Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm ⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal ThreatsDay Bulletin: Claude Security Plugin, Azure Priv-Esc, Kali365 MFA Bypass, FIFA Scams +15 More Malicious npm Package Stole Files From Claude AI User Directory via GitHub GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions ⭐ Featured Resources Your Employees Are Using AI in Ways You Can’t See – 2026 State of AI Report Learn How to Stop Attacks Before They Reach Your EDR – With PHASR Watch AI Turn Vulnerabilities Into Working Exploits in Minutes (See the Demo) [Guide] The Real Security Risks of Shadow AI (And Where You’re Exposed)

Indicators of Compromise

• malware — Aspose-based mailbox stealer
• malware — FRPC
• malware — Secretsdump
• malware — SharpDecryptPwd
• domain — temp.sh

Entities