Stock Exchange Executive's Inbox Spied on for Five Months

Attackers spent five months inside the Outlook mailbox of a senior executive at a major global stock exchange, reading and copying emails without triggering a single alert. The operation is a textbook case of corporate email espionage: patient, quiet, and designed from the start to look like normal network traffic. No vulnerability was exploited. No alarm went off. The intruders simply stayed until something finally forced them out.

The exchange was not named. Neither was the executive. What researchers documented is the method, and that method deserves attention.

How the Attackers Got In and Stayed Hidden

The first signs of malicious activity appeared on October 10, 2025. By that point, the attackers had already achieved SYSTEM-level accesson the machine (the highest privilege level available on Windows) with two processes running quietly in the background. One posed as an Adobe updater and the other impersonated OneDrive. How the attackers gained initial access remains unknown. Researchers assessed that the likely entry point was lateral movement from a previously compromised device elsewhere on the network.

The main exfiltration operation began on November 12. The attackers retrieved a Dropbox API token, set up data transfers using curl, and deployed the tool at the center of the campaign: a custom mailbox stealer built on Aspose, a legitimate .NET library used by developers to read Outlook OST and PST files. Wrapped in an executable, the tool converted the target mailbox to PST format and saved it to disk. Each run took a password argument and a date range flag, so the attackers could pull precise slices of the inbox without touching data they had already taken.

The first run captured everything from August 2025 onward. After that, the attackers returned every two to four weeks, pulling only the days since the previous run. Nine separate pulls ran through February 17, 2026, building a near-continuous copy of the mailbox across five months.

Staying Out of Sight

The exfiltration went through Dropbox and OneDrive Personal, two services that generate traffic indistinguishable from legitimate enterprise cloud use. For OneDrive transfers, the attackers connected directly to hard-coded Microsoft IP addresses rather than the onedrive.live.com hostname.That meant no DNS lookups, and nothing for a perimeter security tool to catch or block.

Scheduled tasks on the machine ran under names that mimicked Adobe, Lenovo, and OneDrive system services. The attackers briefly tested a public file hosting service in November, then abandoned it, likely deciding it drew more scrutiny than the cloud platforms they were already using.

The last observed activity came on March 19, 2026. Researchers found a new backdoor had been staged on the machine but never executed. That detail suggests the attackers may have lost access around that time, possibly because the intrusion was finally detected.

What the Attackers Were After

An exchange executive's inbox holds a specific and valuable category of information. Non-public listing decisions, enforcement matters, deal terms, market-moving plans, internal calendars, and contact networks all pass through that mailbox in the course of normal business. Five months of quiet access gave the attackers a detailed picture of where the organization was heading and who the executive was talking to, without requiring broad access to any other part of the network.

Researchers described the intent as intelligence collection, not financial theft. This was corporate email espionage in the clearest sense: sustained access to a high-value inbox, operated with enough patience and care to avoid detection for the better part of a year.

A Wider Toolkit

Beyond the mailbox stealer, researchers identified a broader set of tools connected to the intrusion. FRPC handled encrypted tunneling to route traffic out of the network. Secretsdump pulled Windows credentials. SharpDecryptPwd recovered saved application passwords. A separate utility bypassed Windows User Account Control. The report does not specify how each tool was used in this specific campaign, but their presence points to an attacker prepared for a wider operation if the opportunity presented itself.

Attribution remains open. The tooling consists entirely of legitimate software and publicly available offensive utilities, a deliberate choice that left no fingerprint pointing to a known group. Routing exfiltration through consumer cloud services is a recognized technique for blending outbound traffic and muddying attribution. No threat actor has been named, and that is unlikely to change without additional evidence from other sources.

No Patch Fixes This

There is no CVE attached to this incident. No vulnerability was disclosed and no software update will close the gap that was exploited here. The attackers got in through an unknown route, stayed by mimicking normal behavior, and left with data by using tools and services that any legitimate user might run.

That is the point. The defenses that matter in this kind of intrusion are behavioral: monitoring for unusual mailbox export activity, unexpected Outlook access patterns, uploads to personal Dropbox or OneDrive accounts from corporate machines, unexpected tunneling, and credential-dumping activity on systems used by privileged users. Indicators of compromise from the research have been published and should be actioned immediately by any organization operating in financial services, regulatory bodies, or any environment where access to non-public market information makes executives a target.