Hackers gained access to the email account of a senior executive at a major global stock exchange and exfiltrated data for months.
The attack, investigated by Broadcom’s Symantec and Carbon Black threat-hunting team, began in October 2025, and the threat actor retained access to the compromised Outlook mailbox until March 2026. The security experts estimate that the dwell time was roughly 150 days.
The goal of the operation was most likely espionage, but Symantec and Carbon Black did not share any information about who may have been behind the attack or which stock exchange was targeted.
“For an espionage actor, a senior executive’s mailbox is a high-value intelligence target. An Outlook profile may yield details of external negotiations, internal deliberations, the executive’s calendar, travel pattern, and their contacts,” the researchers said.
“Organizations such as exchanges and regulators may hold non-public information about listings, enforcement actions and market-moving events. Months of unfettered access to that mailbox lets an attacker build a near-complete picture of the target’s working life and the organization’s near-term direction without ever having to move laterally elsewhere on the network,” they added.
The initial access vector remains unknown, but the first signs of malicious activity were seen on October 10, 2025, when malware had already been running on the compromised host, disguised as Adobe and OneDrive applications.
Command-and-control (C&C) channels were established on November 12, when the attacker also began collecting and exfiltrating data.
To avoid raising suspicion, they used Dropbox and OneDrive to exfiltrate files, transferring only small batches at a time.
“The cumulative effect over the five months observed is a complete, near-continuous theft of the user’s Outlook mailbox, broken into incremental archives small enough not to draw attention from security software,” the researchers explained.
The attacker continuously worked on persistence, regularly re-registering tasks disguised as Adobe, Lenovo, and OneDrive system services to maintain access.
Symantec and Carbon Black made indicators of compromise (IoCs) available to help other organizations detect potential attacks.
Related: US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking
Related: Sophisticated Deep#Door Backdoor Enables Espionage, Disruption
Related: US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking
