Espionage Intrusion Stole Stock Exchange Executive’s Outlook Mailbox via Cloud Exfiltration
Researchers at Symantec and Carbon Black said unknown attackers maintained access for about five months to the Outlook mailbox of a senior executive at a major global stock exchange, quietly collecting email data from late 2025 into early 2026. The intruders used a custom mailbox-stealing tool built around the legitimate Aspose .NET library to convert the victim’s OST data into PST archives and repeatedly export the mailbox in small, date-bounded batches, indicating a deliberate intelligence-gathering operation rather than smash-and-grab theft.
The stolen mailbox data was exfiltrated through Dropbox and OneDrive Personal to blend into ordinary cloud traffic, while persistence was hidden behind scheduled tasks and binaries masquerading as Adobe, Lenovo, and OneDrive components. Investigators also found tooling linked to tunneling, credential dumping, password recovery, and UAC bypass, along with hard-coded Microsoft IP addresses used to avoid OneDrive DNS lookups; attribution and the initial access vector remain unknown, but the incident shows how a single compromised executive mailbox can expose negotiations, calendars, contacts, travel plans, and other potentially market-sensitive information.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Attackers deploy new malware components in March 2026
The espionage campaign targeting the stock exchange executive remained active through March 2026, when the attackers introduced new malware components. This indicated the intrusion was still ongoing and adaptive beyond the previously observed mailbox collection period ending in mid-February.
Researchers disclose espionage campaign targeting stock exchange executive
Broadcom's Symantec and Carbon Black threat-hunting team publicly reported a suspected intelligence-gathering intrusion in which attackers maintained roughly five months of access to a senior stock exchange executive's Outlook mailbox. The researchers said attribution remained unresolved and assessed the activity as espionage rather than financially motivated theft.
Researchers publish IOCs for stock exchange executive intrusion
Alongside reporting on the espionage intrusion, Symantec and Carbon Black released indicators of compromise for the malware and persistence mechanisms used in the attack. The disclosure included details such as scheduled-task persistence masquerading as Lenovo and OneDrive services and other disguised components to aid detection.
Observed mailbox collection activity continues through mid-February
Periodic mailbox collection from the compromised executive account continued for months as part of a long-running espionage operation. Symantec said the observed collection phase ran through February 17, 2026.
Mailbox theft phase begins against executive Outlook account
The attackers began repeatedly exporting the executive's Outlook mailbox in small, date-bounded batches using a mailbox-stealing tool built on the legitimate Aspose .NET library. The stolen data was exfiltrated via Dropbox and OneDrive Personal to blend into normal cloud traffic.
Attackers first gain foothold in stock exchange executive intrusion
Symantec and Carbon Black observed the first malicious activity tied to the espionage intrusion targeting a senior executive at a major global stock exchange. The initial access vector was not determined.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Stock Exchange Executive’s Outlook Account Targeted to Exfiltrate Credentials
cybersecuritynews.com
Open sourceStock exchange executive’s Outlook mailbox stolen over course of 5 months | news | SC Media
scworld.com
Open sourceHackers Spied on a Stock Exchange Executive's Outlook Mailbox for Five Months
thehackernews.com
Open sourceCyber espionage campaign targeted stock exchange executive’s Outlook account
securityaffairs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Exfil Out&Look Abuse of Microsoft 365 Outlook Add-ins for Zero-Trace Email Exfiltration
Varonis Threat Labs reported an attack technique dubbed **Exfil Out&Look** that abuses *Microsoft 365 Outlook* add-ins—particularly in **Outlook Web Access (OWA)**—to exfiltrate sensitive email content with little to no forensic visibility. The method does not rely on a traditional software vulnerability; instead, it weaponizes legitimate add-in capabilities (manifest-driven HTML/JS apps) to intercept outbound messages via the `OnMessageSend` event and transmit email data (e.g., subject, body, recipients) to attacker-controlled infrastructure, potentially using only minimal permissions such as `ReadWriteItem` that may avoid higher-friction consent prompts. A key risk highlighted is a logging and accountability gap: **OWA may not generate Unified Audit Log entries for add-in installation or execution**, enabling persistence and “zero-trace” operation in environments that depend on Microsoft 365 audit telemetry for detection and investigations. Varonis stated it reported the issue to Microsoft via **MSRC** (Sept. 30, 2025) and that Microsoft categorized it as a low-severity product issue with no immediate fix planned; as a result, defenders may need to focus on governance and control of add-ins (e.g., restricting add-in installation sources and permissions) rather than expecting a near-term patch.
Mar 21, 2026APT28 Exploited Outlook CVE-2023-23397 to Steal NTLM Hashes and Breach Exchange Mailboxes
Microsoft said Russian state-backed threat actor **Forest Blizzard** (also tracked as **APT28** or **STRONTIUM**) actively exploited **`CVE-2023-23397`**, a critical Outlook for Windows elevation-of-privilege flaw that can leak a victim’s **Net-NTLMv2** hash through a specially crafted reminder message **without user interaction**. The stolen hash can then be used in **NTLM relay** attacks against Exchange, allowing attackers to access Exchange-hosted mailboxes, move laterally, and establish persistence. Microsoft said exploitation dated back to at least April 2022 and linked the activity to the GRU-associated actor previously tied by U.S. and U.K. authorities to **Unit 26165**. Reporting from Microsoft and other security firms tied the campaign to broader Russian espionage operations targeting government, military, energy, transportation, research, and other strategic organizations, with Unit 42 saying at least **30 organizations in 14 countries** were affected over roughly 20 months, many in NATO states. Investigators observed attackers abusing **Exchange Web Services** and modifying mailbox folder permissions to retain unauthorized access to mailbox contents, a technique also highlighted by Polish authorities. Microsoft urged defenders to patch Outlook, apply Exchange security updates, block outbound **SMB** on TCP 445, and reduce or disable NTLM exposure; it also noted that **Exchange Online** and updated Exchange Server builds can strip the malicious `PidLidReminderFileParameter` used in the attack chain.
May 25, 2026
ToddyCat APT Expands Toolset to Steal Outlook Archives and Microsoft 365 Tokens
The ToddyCat advanced persistent threat (APT) group has evolved its attack methods, shifting focus from browser credential theft to targeting Outlook email archives and Microsoft 365 access tokens. Recent research by Kaspersky highlights the use of new custom tools, such as TCSectorCopy and updated versions of TomBerBil, which enable the group to extract entire email archives and OAuth 2.0 tokens from compromised corporate environments. These tokens can be used to access corporate mail outside the victim's infrastructure, increasing the risk of data exfiltration and unauthorized access. The updated TomBerBil toolkit, now observed running as a PowerShell variant on domain controllers with privileged access, leverages scheduled tasks and the SMB protocol to collect browser data—including cookies, saved credentials, and history—from remote hosts. By capturing Windows DPAPI encryption keys, ToddyCat can decrypt sensitive information for offline analysis. The group has also exploited vulnerabilities such as CVE-2024-11859 in ESET Command Line Scanner to deliver new malware, further expanding its capabilities to target organizations across Europe and Asia.
Mar 21, 2026