Hackers Stole a Stock Exchange Exec's Inbox for 5 Months

Somebody read everything. For roughly 150 days, an unidentified threat actor treated a senior executive's Microsoft Outlook mailbox at a major global stock exchange like a subscription service. The first extraction grabbed every message going back to August 2025. After that, the attacker returned roughly every two to four weeks, each run scooping up only the mail that had arrived since the last one, eight more pulls in total through February 17, 2026.

The operation, disclosed on June 3, 2026 by researchers at Broadcom's Symantec and Carbon Black Threat Hunter Team, is a case study in how quiet a modern espionage campaign can be. No ransomware, no destructive payload, no dramatic alert. Just a patient operator, a legitimate software library, and two cloud storage services that corporate networks see every day.

Key Takeaways

• Symantec and Carbon Black's Threat Hunter Team disclosed on June 3, 2026 a five month intrusion at an unnamed major global stock exchange, running from October 10, 2025 to March 19, 2026.
• A stealer built on Aspose, a legitimate commercial .NET library, converted the executive's Outlook OST mailbox file into PST archives in dated chunks, with the final run on February 17, 2026.
• Stolen mail left the network through Dropbox and OneDrive Personal, with OneDrive reached via hardcoded Microsoft IP addresses to avoid leaving DNS logs.
• Persistence relied on scheduled tasks impersonating Adobe, Lenovo, and OneDrive services, re registered every few weeks with rotating intervals.
• Attribution remains unknown; public tools and consumer cloud infrastructure left almost no clues, though researchers assess the motive was espionage.

What Happened at the Stock Exchange?

An intruder gained system level access to machines at the exchange and used that foothold to harvest one specific executive's mailbox, over and over, for five months. When Symantec first observed malicious activity on October 10, 2025, the attacker was already running two binaries disguised as Adobe and OneDrive components with SYSTEM privileges, which means the initial break in happened earlier and the entry vector is still unknown.

The active theft phase began on November 12, 2025, when the operator completed an OAuth handshake with a registered Dropbox application and started pushing data out through its API. Days later, on November 21, OneDrive Personal was added as a second exfiltration channel. The attacker even briefly tested the temporary file service temp.sh on November 20 and 21, then abandoned it after three attempts. Activity continued until March 19, 2026, when a previously unseen binary named armdriver.exe launched and the observed campaign ended. How attackers get this kind of initial mailbox access is rarely exotic: credential phishing against Microsoft 365 accounts is now sold as a service, as we covered in the report on the Kali365 phishing service that bypasses M365 MFA.

How Did the Attackers Copy an Entire Mailbox?

They used a wrapper around Aspose, a legitimate commercial .NET library that can parse Outlook data files, to convert the executive's local OST mailbox file into portable PST archives. The stealer ran from scheduled tasks with a command that specified the Outlook profile, an output directory, and a date range, so each run produced a tidy archive covering just the weeks since the previous theft. Symantec counted eight incremental extraction runs after the initial full pull, the last completed on February 17, 2026.

The supporting cast was equally pragmatic. The attacker deployed publicly available utilities including SharpDecryptPwd and Secretsdump for credential theft, a UAC bypass tool, and the FRPC proxy. Persistence came from scheduled tasks registered under names like \Microsoft\Windows\Lenovo\CheckServerHealth, with execution intervals rotating between 5 hours, 15 hours, and 24 hours, re registered every few weeks. Binaries hid in plausible folders such as the Adobe ARM directory and a OneDrive setup path, under names like armsvc.exe and oneservice.exe.

Why Did Nobody Notice for Five Months?

Because nothing in the traffic looked wrong. Dropbox and OneDrive are everywhere in corporate environments, so archives flowing to them blended into the daily noise. The operator went one step further with OneDrive, connecting to hardcoded Microsoft IP addresses (13.107.137.11 and 150.171.41.11) instead of the onedrive.live.com hostname, which meant no DNS query was ever logged for the exfiltration channel.

Every component was chosen to be boring. A commercial document library instead of custom malware. Scheduled tasks named after Adobe, Lenovo, and OneDrive instead of obvious implants. Small, periodic transfers instead of one giant upload that would trip volume alarms. As Symantec noted, the use of public tools and cloud infrastructure means the attackers left very few clues to their identity, and the campaign cannot currently be attributed to any known group.

Why Is One Inbox Worth Five Months of Effort?

Because an executive's mailbox is a live intelligence feed. As Symantec put it, "for an espionage actor, a senior executive's mailbox is a high-value intelligence target," exposing negotiations, internal deliberations, the executive's calendar, travel patterns, and contacts. At a stock exchange, that can extend to market sensitive material: listings in progress, regulatory correspondence, and the institution's near term direction.

A stolen mailbox is also ammunition. Every thread becomes a template for convincing follow on phishing against the executive's contacts, and AI now writes the overwhelming majority of phishing emails, so turning real correspondence into flawless lures is cheap. And long before a foothold like this exists, attackers profile their targets through the inbox itself; we documented how tracking pixels are used for live inbox reconnaissance, confirming which addresses are active and watched before any payload is sent.

What Should You Do to Protect Your Inbox?

The uncomfortable lesson is that the most dangerous activity here looked like normal work. A few concrete steps make this playbook much harder to run against you or your organization:

• Audit connected apps and OAuth grants on your email and cloud accounts, and revoke anything you do not recognize. A single persistent Dropbox app token powered this entire campaign.
• Review the active sessions and sign in activity on your mail account today, and sign out everything you cannot identify. Repeat monthly.
• Treat mailbox files as crown jewels: alert on bulk access to OST and PST files, and on any unexpected process touching Outlook data directories.
• Restrict or monitor consumer cloud storage from corporate endpoints, including direct connections to cloud provider IP addresses that skip DNS.
• Inspect scheduled tasks for impostors. Names invoking Adobe, Lenovo, or OneDrive deserve verification, not trust.
• Keep less in the mailbox. Archive or delete old threads with sensitive material; an attacker who steals your inbox tomorrow gets everything you never cleaned up.

None of these steps require new products, just the assumption this incident proves: if your email is valuable to you, it is valuable to someone else, and they are willing to wait months to read it.

Sources: Symantec Threat Hunter Team, Dark Reading, SecurityWeek, and Security Affairs.