Hackers Spied on a Stock Exchange Executive's Outlook Mailbox for Five Months

Attackers maintained persistent access to the email account of a senior executive at a major global stock exchange for at least five months, according to findings from Symantec and Carbon Black's Threat Hunter Team. The threat actors methodically copied the executive's Outlook inbox in small batches and exfiltrated the data through Dropbox and OneDrive, leveraging legitimate cloud services to evade detection.

The use of incremental data transfers through consumer cloud platforms demonstrates operational discipline. By fragmenting the theft and routing traffic through commonly trusted services, the attackers avoided triggering volume-based alerts that typically flag data exfiltration. This approach allowed malicious activity to blend seamlessly with standard business cloud usage patterns.

Symantec and Carbon Black characterize the intrusion as a targeted espionage operation rather than financially motivated cybercrime. Stock exchange executives possess access to sensitive market intelligence, trading information, and strategic communications that hold substantial value for competitors, state-sponsored actors, or other threat groups seeking market advantage. The methodical nature of the campaign—maintaining access for months while carefully harvesting communications—aligns with intelligence gathering objectives rather than opportunistic theft or ransomware deployment.

The incident underscores persistent risks facing high-value targets in the financial sector. Attackers frequently prioritize executive email accounts as collection points because they concentrate sensitive communications, deal information, and strategic discussions in a single target. The five-month dwell time reflects a breach detection gap that likely allowed attackers to systematically extract substantial volumes of correspondence before security teams identified the compromise.

Organizations should implement enhanced monitoring for executive email accounts, including anomalous login patterns, unusual data access volumes, and forwarding rule creation. Cloud service integrations warrant particular scrutiny since threat actors routinely abuse legitimate connectors to move stolen data. Email authentication protocols like DMARC and DKIM reduce the attack surface but do not prevent account