HACKERS monitored a senior executive’s Outlook mailbox at a major global stock exchange for five months, siphoning off internal communications and market‑sensitive data.
The intrusion began with malware masquerading as legitimate applications, which gave the attackers a foothold inside the executive’s environment. From there they used legitimate cloud services such as Dropbox and OneDrive to exfiltrate harvested email content without raising alarms. No public CVE identifiers have been linked to the initial infection vector.
Investigators from Broadcom’s Symantec and Carbon Black traced the activity back to October 2025, noting that the mailbox remained compromised until March 2026. The attackers collected details about ongoing negotiations, internal strategy discussions and upcoming market events, suggesting a focus on strategic intelligence rather than immediate financial gain.
The campaign bears hallmarks of state‑linked espionage, given its prolonged duration, the nature of the stolen information and the lack of a clear monetisation motive. Researchers warn that similar tactics could be replicated against other high‑value targets, especially where executives rely on cloud‑synced productivity tools.
Defenders should enforce strict multifactor authentication on all privileged accounts and review app consent policies to block unauthorised software from accessing mailbox data. Monitoring for unusual authentication patterns, especially logins from unfamiliar locations or devices, can help catch early signs of compromise.
Security teams ought to audit mailbox forwarding rules, delegate permissions and connected third‑party applications on a regular basis, removing any that are unnecessary or suspicious. Deploying email gateway controls that inspect attachments for known malware signatures and limiting the use of consumer‑grade cloud storage for corporate data can further reduce exposure.
Maintaining an up‑to‑date incident response plan that includes specific scenarios for executive account compromise ensures a swift containment and investigation process. Sharing indicators of compromise with trusted information‑sharing organisations helps the broader community defend against comparable espionage efforts.