Ethical Hacking News
A sophisticated cyber espionage operation targeted the Outlook account of a senior executive at a major global stock exchange, exfiltrating sensitive information over five months. The attackers used legitimate and malicious tools to gain access to the account and avoid detection. This incident highlights the importance of secure email management practices and the need for organizations to maintain strict control over their employee accounts.
The Outlook account of a senior executive at a major global stock exchange was targeted by a highly sophisticated cyber espionage operation.The attackers spent five months stealing emails, exfiltrating sensitive information on negotiations, internal discussions, calendars, contacts, travel plans, and potentially market-moving events.The attackers used legitimate and malicious tools to gain access to the executive's account, disguising themselves as Adobe Acrobat and OneDrive processes.The attacker used a wrapper around Aspose to convert the executive's OST file into a PST archive, exfiltrating sensitive information without arousing suspicion.The attackers' use of cloud infrastructure, such as Dropbox and OneDrive Personal, allowed them to bypass DNS-based logging and minimize their footprint.The incident highlights the importance of implementing robust email management practices, including regular monitoring and analysis of employee accounts.
In a recent incident that has garnered significant attention from the cybersecurity community, a highly sophisticated cyber espionage operation targeted the Outlook account of a senior executive at a major global stock exchange. The attackers spent five months silently stealing emails from the executive's account, exfiltrating sensitive information on negotiations, internal discussions, calendars, contacts, travel plans, and potentially market-moving events.
The operation was carried out by an attacker who sat inside the executive's Outlook account for roughly 150 days, from October 2025 to March 2026. The attackers' approach was highly targeted and disciplined, with a focus on extracting as much information as possible without raising suspicion or triggering alerts on the system. This tightly focused campaign highlights the importance of secure email management practices and the need for organizations to maintain strict control over their employee accounts.
According to researchers from Symantec and Carbon Black, who investigated the incident, the attackers used a combination of legitimate and malicious tools to gain access to the executive's account. The operation began on October 10, 2025, when two malicious binaries were already running on the host with SYSTEM-level privileges, disguised as Adobe Acrobat and OneDrive processes. These initial attacks set the stage for the attacker's campaign, which turned active on November 12, when command-and-control channels came online and data started moving.
The tool at the center of everything was a wrapper around Aspose, a legitimate commercial .NET library that can parse Outlook mailbox files. The attacker used it to convert the executive's OST file into a PST archive and push it out in dated chunks, each covering a window of a few weeks. This approach allowed the attackers to exfiltrate sensitive information without arousing suspicion, as the archives were small enough not to draw attention from security software.
Over the course of five months, the attacker conducted eight further OST-extraction runs, with each run followed by a 2-4 week gap between them. The cumulative effect was a complete, near-continuous theft of the user's Outlook mailbox, broken into incremental archives that were small enough to avoid detection. Exfiltration went through Dropbox and OneDrive Personal, services that appear in normal corporate traffic every day.
The attackers also hardcoded Microsoft IP addresses instead of hostnames for OneDrive calls, which neatly bypassed DNS-based logging. This level of technical sophistication underscores the attackers' focus on minimizing their footprint and avoiding detection. To achieve this, they re-registered scheduled tasks every few weeks under names mimicking Adobe, Lenovo, and OneDrive services. Each new registration overwrote the previous one, keeping the attacker's presence minimal.
The most concerning aspect of this operation is the potential impact it could have on organizations that rely heavily on trust in their employees' accounts. The attackers' ability to gain access to a senior executive's account raises serious questions about the security measures in place within these organizations. If an adversary can target and compromise a single employee account, the consequences could be severe.
The incident highlights the importance of implementing robust email management practices, including regular monitoring and analysis of employee accounts. This includes using advanced threat detection tools to identify potential security incidents early on. Additionally, organizations should ensure that all employees understand the risks associated with email-based attacks and the need for strict password management.
In conclusion, this highly targeted cyber espionage operation highlights the importance of secure email management practices and the need for organizations to maintain strict control over their employee accounts. The attackers' use of legitimate tools and cloud infrastructure underscores their focus on minimizing their footprint and avoiding detection. As such, it is essential for organizations to implement robust security measures to prevent similar incidents in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/Cyber-Espionage-Operation-Targets-Stock-Exchange-Executives-Outlook-Account-A-Highly-Targeted-Intelligence-Gathering-Campaign-ehn.shtml
https://securityaffairs.com/193086/intelligence/cyber-espionage-campaign-targeted-stock-exchange-executives-outlook-account.html
https://www.security.com/threat-intelligence/stock-exchange-espionage
Published: Wed Jun 3 13:34:14 2026 by llama3.2 3B Q4_K_M
