Unknown attackers spent at least five months inside the Outlook mailbox of a senior executive at a major global stock exchange, copying the inbox out in small, repeated batches and routing it through Dropbox and OneDrive so the traffic blended into normal cloud activity.
Symantec and Carbon Black’s Threat Hunter Team reported the campaign this week. This points to espionage, not a money grab: Symantec said the commands indicate intelligence collection, not theft for profit.
Neither the executive nor the exchange was named. The value is plain enough: an exchange executive’s inbox can hold non-public listing details, enforcement matters, deal terms, market-moving plans, plus the executive’s calendar and contacts.
Five months of quiet access handed the attacker a detailed read on the executive’s dealings and where the organization was heading, without needing broad access to other business systems.
The first malicious activity showed up on October 10, 2025. By then, the attacker was already running two binaries as SYSTEM, the highest Windows privilege level, one faking Adobe’s updater and the other faking OneDrive. By the time defenders noticed anything, the intruder had full control of the machine, and how they first got in is still unknown.
However, Symantec confirmed that the first signs likely came from lateral movement off a previously compromised device. The operation kicked into gear on November 12. The attacker pulled a Dropbox API token, started uploading data with curl, and deployed the main tool: a mailbox stealer built on Aspose, a legitimate .NET library that reads Outlook OST and PST files. Wrapped in an executable, it converted the mailbox to PST and wrote it to disk, run each time with a password and a date-range flag.
The first run grabbed everything from August 2025 on. After that the attacker came back every two to four weeks, each run taking only the days since the last one, eight more pulls through February 17, 2026. The result is a near-continuous copy of the mailbox, sliced thin enough not to draw attention from security software.
The stealth came from making the work look ordinary. Scheduled tasks posed as Adobe, Lenovo and OneDrive system services. For exfiltration the attacker used Dropbox and OneDrive Personal, and for OneDrive they connected to hard-coded Microsoft IP addresses instead of the onedrive.live.com hostname, so there were no DNS lookups for a perimeter tool to catch or block.
The attacker also tested the public file host temp.sh once in November, then dropped it. The last observed activity, on March 19, 2026, was a new backdoor that was staged but never run, which Elias said may mean the attacker lost access soon after.
Symantec’s published indicators point to a wider intrusion kit, not just a mailbox grabber: FRPC for tunneling traffic out, Secretsdump for pulling Windows credentials, SharpDecryptPwd for recovering saved app passwords, and a tool to bypass Windows User Account Control. The report does not say how each was used here, and none of them point to a specific group.
There is no CVE in this story. It was an intrusion against a person’s mailbox, not the exploitation of a freshly disclosed flaw, which is part of why it is worth reading: no patch closes this, and the burden shifts to monitoring and response.
Attribution is unresolved too. The mix of public tooling and consumer cloud services left little to tie the activity to a known actor, and that stays open until a stronger source says otherwise. Routing exfiltration through Dropbox and OneDrive to blend in is a well-worn play, and one Microsoft has flagged as a deliberate way to slip past perimeter defenses and muddy attribution.
If you defend an exchange, a regulator, or any firm sitting on market-moving information, feed the hashes in now and watch for the behavior behind them: unusual mailbox export activity, odd Outlook access, uploads to personal Dropbox or OneDrive accounts, unexpected tunneling, and credential-dumping on systems tied to privileged users.
