Threat actors conducted a prolonged espionage campaign by covertly accessing and extracting data from a senior executive’s Outlook account at a major global stock exchange over a five-month period.
According to a recent investigation by Broadcom’s Symantec and Carbon Black threat research teams, the attackers maintained undetected access for approximately 150 days, spanning from October 2025 through March 2026. While the exact organization was not disclosed, and no known threat group has been directly linked to the operation, the findings point to a highly targeted and carefully executed intelligence-gathering effort.
By maintaining silent access to the executive’s mailbox, the attackers were able to harvest a wealth of sensitive information. This likely included internal communications, confidential negotiations, meeting schedules, travel itineraries, contact lists, and potentially information capable of influencing financial markets. The researchers emphasized that compromising a single high-level account can provide attackers with deep visibility into an organization’s operations eliminating the need for lateral movement across the network.
The report underscores the strategic value of such a target, noting that executive email accounts serve as rich intelligence sources. These accounts often contain insights into both internal decision-making processes and external engagements, offering attackers a near complete understanding of corporate strategy and upcoming activities. For organizations like stock exchanges and regulatory bodies, this type of access can expose non-public details related to listings, enforcement actions, and other market-sensitive developments.
Investigators believe the campaign was not financially motivated but instead aligned with espionage objectives. The nature of the data accessed and the patience exhibited by the attackers suggest a focus on intelligence collection rather than immediate financial gain.
The earliest evidence of compromise dates back to October 10, 2025, although the initial entry point remains unclear. By that time, the attackers had already deployed two malicious executables on the system, both operating with SYSTEM-level privileges. These programs were disguised as legitimate applications, specifically Adobe Acrobat and Microsoft OneDrive processes, indicating that the attackers had already achieved deep system access before detection began.
The operation entered a more active phase on November 12, when command-and-control (C2) communications were established and data exfiltration began. At the core of the campaign was a tool built around Aspose, a legitimate .NET library used to process Outlook mailbox files. The attackers leveraged this tool to extract data from the executive’s OST mailbox file, converting it into PST format and exfiltrating it in segmented batches. Each batch covered a specific timeframe, typically spanning several weeks.
Over the course of the campaign, the attackers executed multiple extraction cycles approximately every two to four weeks until mid-February 2026. These incremental exports allowed them to gradually siphon off the entire mailbox contents while keeping each transfer small enough to avoid triggering security alerts. This methodical approach resulted in a nearly continuous and comprehensive theft of email data over several months.
To further evade detection, the attackers used widely trusted cloud services, including Dropbox and personal OneDrive accounts, as channels for data exfiltration. Because these services are commonly used within enterprise environments, their traffic blends in with normal activity. Additionally, the attackers bypassed DNS-based monitoring mechanisms by embedding hardcoded Microsoft IP addresses for OneDrive communications an advanced technique that reduces visibility into suspicious activity.
Maintaining long-term access to the compromised system required consistent persistence mechanisms. The attackers periodically re-established scheduled tasks under names designed to resemble legitimate software from vendors such as Adobe, Lenovo, and Microsoft OneDrive. These tasks were configured with varying execution intervals ranging from minutes to hours to reduce predictable patterns. Each new task registration replaced the previous one, minimizing system artifacts and reducing the chance of detection.
As the campaign progressed, the attackers continued to introduce new disguised payloads. In late February, a malicious file impersonating the OneDrive synchronization service was deployed, followed by another in March masquerading as an Adobe driver component. These updates ensured ongoing control over the system until the operation concluded.
Attribution remains uncertain due to the attackers’ deliberate use of publicly available tools, legitimate cloud infrastructure for both command-and-control and data exfiltration, and a lack of infrastructure overlap with known threat groups. However, the precision, discipline, and extended dwell time strongly suggest involvement by a state-sponsored or nation-state-aligned actor.
The researchers have released a full set of indicators of compromise (IOCs), including file hashes associated with the malware and disguised executables. Security teams particularly those in financial institutions, regulatory environments, or other sectors handling sensitive market data are advised to incorporate these indicators into their detection systems without delay.
In conclusion, the report highlights the attackers’ singular focus: conducting sustained, low-profile data exfiltration from a single high-value Outlook account. By carefully managing data transfers in small increments and leveraging trusted services, the attackers were able to remain undetected for months. The campaign demonstrates a sophisticated and highly targeted approach, combining technical expertise with strategic patience to maintain persistent, stealthy access over an extended period.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
