Espionage Campaign Targeted Stock Exchange Executive for Five Months

Description

Unknown attackers conducted a five-month espionage campaign against a senior executive at a major global stock exchange, systematically stealing the victim's Outlook mailbox in incremental batches. The attackers demonstrated sophisticated operational discipline by using legitimate cloud services like Dropbox and OneDrive Personal for exfiltration and command-and-control infrastructure. They employed an Aspose-based mailbox stealer to extract OST files in date-range windows, beginning with historical emails from August 2025 and continuing with regular two-to-four-week intervals through February 2026. The intrusion maintained persistence through masquerading binaries and scheduled tasks themed around legitimate Adobe and Lenovo services. By extracting mailbox data incrementally and routing traffic through trusted cloud platforms, the attackers avoided detection while building a comprehensive intelligence picture of the executive's communications and organizational activities.