Unknown attackers spent at least five months inside the Outlook mailbox of a senior executive at a major global stock exchange, copying email in small batches and moving it through Dropbox and OneDrive, according to a technical analysis from Symantec and Carbon Black’s Threat Hunter Team.
KEY FACTS
- Target An Outlook mailbox tied to a senior executive at a major global stock exchange.
- Duration Access appears to have lasted from October 2025 through March 2026.
- Method Data was exported in small, repeated batches and sent through cloud services.
- Assessment The activity was described as espionage rather than theft for profit.
The report said the first malicious activity appeared on October 10, 2025, when the attacker was already running two binaries as SYSTEM, the highest Windows privilege level. One fake file posed as Adobe’s updater and another as OneDrive.
By November 12, the intruder had pulled a Dropbox API token, started uploads with curl and deployed a mailbox stealer built on Aspose, a legitimate .NET library that can read Outlook OST and PST files. The tool converted mailbox data to PST and was run with a password and a date-range flag.
The first run copied messages from August 2025 onward. Later runs returned every two to four weeks and exported only the new messages since the last batch, with eight more pulls through February 17, 2026. The activity gave the operator a near-continuous copy of the mailbox while limiting the chance of detection.
To blend in with normal traffic, scheduled tasks were set up to resemble Adobe, Lenovo and OneDrive system services. For exfiltration, the attacker used Dropbox and OneDrive Personal, and on OneDrive connections were made to hard-coded Microsoft IP addresses instead of the onedrive.live.com hostname, which avoided DNS lookups.
The report also pointed to other tools that could support a broader intrusion, including FRPC for tunneling, Secretsdump for Windows credentials, SharpDecryptPwd for saved passwords and a tool to bypass User Account Control. The last observed activity, on March 19, 2026, was a new backdoor that was staged but never run.
WHY IT MATTERS
The case shows how a mailbox linked to a market-sensitive executive can expose deal terms, enforcement matters and other non-public information without a major breach of core systems. It also shows how personal cloud services can be used to hide exfiltration and complicate detection.