302/69 Friday, June 5, 2026
Researchers from the Threat Hunting teams at Broadcom Symantec and Carbon Black have uncovered a cyber espionage campaign targeting the Outlook account of a senior executive at a major global stock exchange. The attackers maintained access to the compromised mailbox for approximately 150 days, from October 2025 to March 2026. The researchers did not disclose the identity of the affected stock exchange and have not attributed the activity to any specific threat actor. However, the nature of the operation suggests a highly targeted espionage campaign rather than a financially motivated attack.
Analysis showed that the attackers focused on continuously collecting intelligence from the executive’s mailbox. Access to a senior executive’s Outlook account could expose highly sensitive information, including business negotiations, internal discussions, meeting schedules, contact lists, travel plans, and potentially market-moving information. Researchers emphasized that compromising a single executive mailbox can provide attackers with a detailed understanding of an organization’s activities without requiring lateral movement across the network. Suspicious activity was first observed on October 10, 2025, when two malicious files running with SYSTEM privileges were detected masquerading as legitimate processes associated with Adobe Acrobat and OneDrive.
The operation became more active on November 12, 2025, when command-and-control (C2) communications were established and data exfiltration began. The attackers leveraged a commercial .NET library wrapper known as Aspose to access Outlook mailbox data, converting the executive’s OST files into PST format before exfiltrating the data in small batches through Dropbox and personal OneDrive accounts to minimize detection. The threat actors also maintained persistence through Scheduled Tasks disguised as legitimate services associated with Adobe, Lenovo, and OneDrive. Researchers assessed that the campaign demonstrated a high level of operational discipline and may be linked to a state-sponsored espionage operation. Indicators of Compromise (IoCs), including file hashes associated with the attack, have been released to assist organizations-particularly financial institutions, regulatory bodies, and organizations handling market-sensitive information-in detecting related activity and strengthening their monitoring efforts.