Hackers Spied on a Stock Exchange Executive's Outlook Mailbox for Five Months

The breach underscores a growing trend where threat actors target high‑value individuals rather than whole networks. By hijacking a senior exchange executive’s mailbox, the attackers harvested confidential deal terms, regulatory communications, and calendar data that could influence market dynamics. Using legitimate cloud services for exfiltration—Dropbox and OneDrive—allowed the data flow to blend with normal traffic, evading perimeter defenses that rely on known malicious domains or signatures.

Technical analysis reveals a multi‑stage operation. Initial foothold was achieved via an unknown vector, followed by lateral movement that installed two SYSTEM‑level binaries masquerading as Adobe and OneDrive updaters. The core data‑stealer leveraged Aspose, a trusted .NET component, to convert Outlook OST/PST files into exportable archives. Periodic runs every two to four weeks kept each batch small, reducing detection likelihood. Supporting tools such as FRPC for tunneling, Secretsdump for credential harvesting, and SharpDecryptPwd for password recovery indicate a broader intrusion kit designed for long‑term espionage.

For security leaders in finance and regulated sectors, the incident is a reminder that traditional vulnerability management is insufficient against stealthy, credential‑based attacks. Continuous monitoring for anomalous mailbox export activity, unexpected cloud uploads, and the creation of scheduled tasks that mimic legitimate services is essential. Organizations should also enforce strict cloud‑access policies, employ data‑loss‑prevention solutions that flag large Outlook exports, and regularly audit privileged accounts for signs of credential dumping. Proactive threat hunting, informed by the indicators shared by Symantec, can help detect similar campaigns before sensitive market information is compromised.