Thought Leadership
A major global stock exchange operator has fallen victim to a cyber-espionage campaign after attackers maintained covert access to a senior executive’s email account for five months.
The incident was investigated by the joint threat intelligence team of Symantec and Carbon Black, both subsidiaries of Broadcom. According to the researchers, the intrusion began in October 2025, with the threat actor retaining access to the compromised Outlook mailbox until March 2026.
Security analysts estimate the attackers remained inside the environment for approximately 150 days. Based on the evidence gathered, the primary objective of the operation appears to have been cyber espionage. The report does not disclose the identity of the targeted exchange or attribute the attack to a specific threat group, as the tools and techniques used did not provide sufficient indicators for a definitive attribution.
“From the perspective of a threat actor engaged in espionage, an executive’s mailbox is a high-value intelligence target. An Outlook profile can contain details about external negotiations, internal discussions, the executive’s calendar, travel patterns, and their contacts. Organizations such as stock exchanges and regulators may hold non-public information about listings, enforcement actions, and market-moving events. Months of unrestricted access to this mailbox allow an attacker to build an almost complete picture of the target’s professional life and the organization’s near-term direction, without ever needing to move laterally elsewhere within the network.”
IT forensics researchers at Symantec and Carbon Black
Stealthy Data Exfiltration Through Legitimate Cloud Services
The initial access vector remains under investigation. Researchers first detected signs of malicious activity on the affected host on October 10, 2025. By that point, malware disguised as legitimate Adobe and OneDrive applications was already running on the system. The attackers established their command-and-control (C2) infrastructure on November 12, 2025. From then on, they began systematically collecting and exfiltrating data from the compromised environment.
To avoid detection by security tools, the threat actors leveraged trusted consumer cloud services, including Dropbox and OneDrive, as channels for data exfiltration. Information was transferred exclusively in very small data chunks.
Explaining the tactic, the investigators noted:
“The cumulative effect over the five months observed is the complete, near-continuous theft of the user’s Outlook mailbox, split into incremental archives small enough to avoid attracting the attention of security software.”
Persistence Maintained Through Fake System Services
In addition to stealing data, the attackers focused heavily on maintaining long-term access to the compromised network. They repeatedly re-created automated scheduled tasks designed to preserve persistence on the infected system. These tasks were disguised as legitimate services associated with Adobe, Lenovo, and OneDrive, helping them blend into the environment and avoid raising suspicion during routine administrative reviews.
The last documented activity occurred on March 19, 2026, when the attackers deployed additional backdoors on the compromised device. Shortly afterward, data transfers ceased, leading analysts to believe the operators likely lost access to the system at that point. To help organizations and financial institutions defend against similar attacks, Symantec and Carbon Black have publicly released the relevant indicators of compromise (IoCs).
(ll)
