An unidentified threat actor maintained unauthorized access to the mailbox of a senior executive at a global stock exchange for at least five months.
A recent security report from Symantec and Carbon Black details this prolonged access campaign. The findings show that a threat actor meticulously accessed a high-ranking finance executive's Microsoft Outlook mailbox, systematically transferring months' worth of emails.
Communications at this level typically contain sensitive organizational data, including contacts, calendar schedules, and specifics on business negotiations. Given the affected organization is a major financial exchange, this intelligence holds significant value for external organizations, investors, or state-sponsored groups.
The research team noted that exchanges and regulators frequently hold non-public information regarding listings, enforcement actions, and market-moving events. Extended access to this type of mailbox provides a comprehensive view of the executive's daily operations and the organization's strategic direction, without requiring further lateral movement across the network.
Methodology behind the unauthorized access
Security assessments often uncover unauthorized behaviors designed to avoid detection. By the time security teams identified the activity in this environment, the threat actor had already escalated to complete administrative privileges on the targeted endpoint.
The recorded activity began on October 10, 2025. Marc Elias, a threat intelligence analyst for the Symantec and Carbon Black Threat Hunter Team, stated that the first signs of activity observed on the machine likely stemmed from lateral movement originating from a previously compromised device. At this stage, the unauthorized party was operating two system-level implants. One was designed to resemble Adobe software, and the other mirrored OneDrive. To maintain persistence, the former ran as a scheduled task every five minutes.
On November 12, 2025, the threat actor established a command-and-control (C2) channel using Dropbox, formatting their data exfiltration to resemble standard network traffic. They created a new scheduled task for running batch files, disguised as a Lenovo system health check. This specific naming convention indicates a detailed understanding of the affected machine's baseline environment.
Following this, they deployed a custom information-gathering tool. This tool was built using a legitimate.NET library from Aspose, a company providing APIs for creating, editing, and converting file formats. The threat actor used this standard utility to convert the executive's emails into local files before transferring them outward via Dropbox.
Evaluating the timeline and defensive measures
The initial exfiltration covered all emails between August and mid-November 2025. The unauthorized party then systematically extracted the inbox contents every two to four weeks until February 17, 2026. Data transfer ceased at that point, though the actors remained active in the environment for another month.
Elias stated that following the last exfiltration event, new backdoors were deployed, marking the final observed activity on March 19. The research team assumes the operators lost access to the device after this date, as no further unauthorized activity was detected.
While the threat actor operated with patience and clear methodology, defensive teams can implement specific measures to detect and disrupt similar activity. Elias outlined steps that highly targeted organizations can take to protect their environments.
Organizations can detect and prevent data transfers to cloud services by implementing a cloud access security broker (CASB) alongside data loss prevention (DLP) solutions. Furthermore, security teams can disrupt these sequences earlier by actively investigating and responding to alerts generated by their endpoint detection and response (EDR) platforms.
About the author
Nate Nelson is a journalist and scriptwriter. In addition to contributing to Dark Reading, he writes for the cybersecurity podcast Darknet Diaries. He began his career ghostwriting op-eds for technology and finance executives before transitioning to journalism at Threatpost, where he covered cybersecurity news and trends. He also co-created the Malicious Life podcast. He holds degrees from New York University and Bard College.