Stock Exchange Executive’s Outlook Account Targeted to Exfiltrate Credentials

A senior executive at a major global stock exchange had their Microsoft Outlook account silently compromised for five straight months, with attackers carefully siphoning emails in small batches to avoid detection.

The intrusion ran from October 2025 through at least March 2026, designed entirely around one single goal: stealing the complete contents of one person’s mailbox without raising an alarm.

It is a stark reminder of just how much sensitive intelligence sits inside a single high-ranking inbox.

It can contain details of upcoming listings, enforcement actions, internal deliberations, calendar schedules, and market-moving events not yet made public.

Months of quiet, uninterrupted access to that kind of data gives an attacker a remarkable window into an organization’s near-term direction without ever touching any other system on the network.

Analysts from Symantec’s Threat Hunter Team, working alongside Carbon Black, identified the campaign and noted that the use of legitimate cloud infrastructure and publicly available tools made attribution to any known threat group impossible. 

Symantec said in a report shared with Cyber Security News (CSN) that the commands and objectives observed throughout the campaign are consistent with espionage as the primary motivation.

The operational discipline on display was considered notable enough to warrant a public disclosure, despite the team’s standard practice of not publishing on single-victim incidents.

What made this campaign especially difficult to catch was how the attackers blended seamlessly into normal traffic. They relied exclusively on cloud services that any legitimate user might interact with daily, hiding their activity inside the kind of network noise that rarely triggers security alerts.

Over five months, they rebuilt persistence on the victim machine multiple times, continuously adapting their techniques to keep access alive.

Stock Exchange Executive’s Outlook Account Targeted

The initial access method was never confirmed, but by October 2025 attackers had already installed two masquerading binaries on the victim’s machine, both running with SYSTEM-level privileges.

The first posed as an Adobe update service (armsvc.exe), while the second impersonated a Microsoft OneDrive component (oneservice.exe). Both ran automatically via scheduled tasks, giving attackers a reliable foothold before the main theft operation ever began.

The core tool was built around Aspose, a legitimate .NET library for reading Outlook data files. Attackers used it to convert the executive’s offline Outlook storage file into a portable format, then quietly moved the output off the machine.

The tool was deployed under three different temporary filenames (ts_9ea0.tmp, ts_e0d5.tmp, ts_e2d5.tmp), all sharing the same file hash.

Starting with emails dating back to August 2025, each extraction run picked up precisely where the last one left off, building a near-complete copy of the entire mailbox over time. (See Figure 1: Attack Chain)

Exfiltration via Legitimate Cloud Infrastructure

The stolen data was funneled out through Dropbox and OneDrive using standard command-line tools that would look entirely normal on most enterprise systems.

For Dropbox, the attackers reused the same application credentials across every session, rotating only the short-lived authorization tokens.

For OneDrive, they bypassed DNS-based filtering entirely by making requests directly to hard-coded Microsoft IP addresses, ensuring no suspicious domain lookups appeared in perimeter logs.

In late November 2025, the attackers briefly tested a third channel by uploading files to a public temporary file-hosting service called temp.sh, but abandoned it after just a few attempts.

The campaign continued evolving through March 2026, when a fresh DLL (te.host.dll) and a new masquerading binary (armdriver.exe) were deployed, confirming the attackers were still active and refining their methods until the very end.

Organizations should monitor carefully for unusual scheduled task creations that use legitimate vendor names as cover, and flag bulk file transfers originating from mail data directories.

Restricting outbound connections to cloud storage APIs and enabling behavioral alerts tied to Outlook storage file access can help surface these long-dwell espionage campaigns before significant damage is done.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
SHA256	db59813e3f27fb8608a4876e758f60b69d9700dc22d15237ac095bb3166fb622	Mailbox Infostealer
SHA256	1f385acf11f8ea6673d7295be6492ea9913b525da25dcc037ea49ef4f86a9d58	SharpDecryptPwd
SHA256	2587217bc685527480c803ddf34a56ae9d9bf02681828a8a2081acc775312cf3	FRPC
SHA256	6a69ea2ce3fea0ebfd7a32a1dfc4251bd4d7d8a4fbd44aaa47b82290d0414a9f	Masquerading executable (appsvc.exe)
SHA256	8b283c954d19a839a724961ccaf025c56988c4e745acb2d31a15a006cda072bf	Masquerading executable (sepservice.exe)
SHA256	d78f64551d1b31a31e5998e442f0debd458e011e05019b3951d9ddde997f8384	BypassUAC (bypassuac.exe)
SHA256	8c0871cd0f60bc603424e948a689945a1828d0bef926a6470ae18cf17d93f7cb	Masquerading executable (armsvc.exe)
SHA256	cf731b82c471211938b210ae8a6dcc7ece4f44371e716f056fa05151a9910727	Masquerading executable (armsvc.exe)
SHA256	acf5ed6e5bb90c44683938f35efeca551428064cdedbbaab8be69e3474fb806f	Suspicious file (ss.exe)
SHA256	308351124c496d4f4effee65ab828506abf70385773c167ab1f32a7f030385ac	BypassUAC (bypassuac.exe)
SHA256	c3405d9c9d593d75d773c0615254e69d0362954384058ee970a3ec0944519c37	Secretsdump
SHA256	3b6cb20891bce8602ce669187754871e402a1782031ef8b032cd007e3894bc5d	Malicious executable (sidehost.exe)
SHA256	d5e42104292513232d26ad7d9d317b5c779577da43e28fe27f8c2fb9318b0e8e	Malicious executable (sidehost.exe)
SHA256	3aae5a24e63f3cb1ca4759b9e4ee8e503ff139189423f5fd8cc923c6819697ca	Masquerading executable (sepservice.exe)
SHA256	611db3195d55e871dce67ce5c41e894bbaab88dd0d019af68f5a259f0108aef7	Suspicious file (sddsvc.exe)
SHA256	eaff006ac0eb7f7fe4db5fc6a4b5b1dc272d83ced66d510dcea185b1278bb453	Masquerading executable (armsvc.exe)
SHA256	02048121fd0b3a51751ce7677155aa8818eba9d8ce67ea26fd1d7f43cfcdabd2	Masquerading executable (armdriver.exe)
SHA256	6c700ca4e6d917c7aa9d964e98604a0349d9b8b4673df96a3f73a3d2d042635a	Malicious DLL (te.host.dll)
SHA256	f72a8b71f12eaab6518873f72ea4be4572d9f3fb8e8706ade3b9a7314f236f22	Masquerading executable (onedrivesync.exe)
SHA256	22f335a65c479c26019f6187dae290624117c82a702a96acbb04fa325f730d3e	Masquerading executable (oneservice.exe)
IP Address	13.107.137.11	Hard-coded Microsoft IP used for OneDrive exfiltration (DNS bypass)
IP Address	150.171.41.11	Hard-coded Microsoft IP used for OneDrive exfiltration (DNS bypass)
URL	https://temp.sh/upload	Temporary file-hosting service used briefly for exfiltration
File Name	ts_9ea0.tmp	Aspose-based OST mailbox stealer (temp folder variant)
File Name	ts_e0d5.tmp	Aspose-based OST mailbox stealer (tempskin folder variant)
File Name	ts_e2d5.tmp	Aspose-based OST mailbox stealer (tempskinlicenses folder variant)

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.