An attacker sat in a senior executive’s Outlook mailbox at a major global stock exchange for five months. The intent was espionage, not theft. The institution that failed to notice has not been named. This was a systemic failure of governance in a firm that, of all places, should know better.
Symantec and Carbon Black’s Threat Hunter Team published its analysis of the espionage campaign this week. The Hacker News covered it here. The attacker copied the inbox out in small batches every two to four weeks, routing it through Dropbox and OneDrive. First malicious activity: 10 October 2025. Last observed action: 19 March 2026.
Breakdown of controls and the questions the Board should be asking
Espionage of this duration does not happen against well-defended endpoints. Five independent layers of defence were soft for the better part of half a year. Not bad luck. Institutional complacency. The questions for the CIO, CISO, and Head of Technology Operations are broader and harder than “do we have X tool?”
If management cannot answer with evidence, including dates of last review and independent validation, the board’s question is not “how do we fix this?” It is whether the people running technology and cyber are the right people for the institution.
- Network Security and Segmentation
- The foothold came from another previously compromised endpoint. East-west segmentation around privileged-user workstations was either absent or porous.
- Where else is this architecture failure going unnoticed? When was segmentation last tested by an independent red team, and results reported to this board?
- The foothold came from another previously compromised endpoint. East-west segmentation around privileged-user workstations was either absent or porous.
- Application Controls and Endpoint Hardening
- Two implants ran as SYSTEM. UAC bypass was in the toolkit. Implants and scheduled tasks impersonated Adobe, Lenovo, and OneDrive. Local admin and memory protections were weak. No allow-listing.
- Why are unsigned, impersonating binaries permitted to run as SYSTEM and schedule themselves at boot? When was this last reviewed end-to-end?
- Two implants ran as SYSTEM. UAC bypass was in the toolkit. Implants and scheduled tasks impersonated Adobe, Lenovo, and OneDrive. Local admin and memory protections were weak. No allow-listing.
- Exchange and Mailbox Security
- Aspose, a commercial .NET library, read OST and PST files off disk and wrote a portable PST. No cloud sign-in, no Conditional Access, no Purview alert. Nothing was watching for PST creation by non-Outlook processes.
- Who is monitoring the integrity of OST and PST files, and how? If no one, why not?
- Aspose, a commercial .NET library, read OST and PST files off disk and wrote a portable PST. No cloud sign-in, no Conditional Access, no Purview alert. Nothing was watching for PST creation by non-Outlook processes.
- Data Loss Prevention
- Dropbox and OneDrive Personal were not blocked by tenant identity. For OneDrive, the attacker hard-coded Microsoft IP ranges to bypass DNS detection, a technique Microsoft has flagged as deliberate evasion.
- Why are personal Dropbox and OneDrive permitted from privileged endpoints? Why does our DLP allow curl to push a PST to a personal cloud account without being detected?
- Dropbox and OneDrive Personal were not blocked by tenant identity. For OneDrive, the attacker hard-coded Microsoft IP ranges to bypass DNS detection, a technique Microsoft has flagged as deliberate evasion.
- Detection and Response
- Secretsdump and SharpDecryptPwd, both classic and well-signatured, ran without an EDR alert. Eight mailbox pulls over four months, each a date-windowed continuation of the last, ran without a UEBA alert.
- How does an attacker spend five months in our environment, exfiltrate on a regular cadence, and remain unseen?
- Secretsdump and SharpDecryptPwd, both classic and well-signatured, ran without an EDR alert. Eight mailbox pulls over four months, each a date-windowed continuation of the last, ran without a UEBA alert.
Could the executive have spotted it?
Realistically, no. The implants ran as SYSTEM and impersonated trusted vendor binaries. The mailbox was read off the local disk, not through cloud sign-in, so there was no “new device” notification. The user-facing experience was completely ordinary.
What should have been in place but was not: hardened laptop, no local admin, mandatory EDR, mailbox export monitoring, and a quarterly review of what runs at logon.
And the security vendors, Symantec and Carbon Black?
The forensic depth of their published report comes only from endpoint telemetry on the victim machine. Either Symantec or Carbon Black agents were collecting the data, or the Threat Hunter Team was pulled in for incident response. Whether it was an EDR rollout, a hunt sweep, an intel tip, or a fluke, we do not know. Five months of dwell means the detection stack was not working.
This raises a question that has not been answered. Was this a product subscription, in which the exchange’s own SOC was supposed to triage the alerts, or a managed service, in which Broadcom analysts were paid to monitor the console?
A vendor publishing a dissection of how a customer was compromised, without disclosing what its own service did during the five-month dwell, reads as both threat intelligence and deflection.
Who else should be worried?
Anyone whose inbox holds material non-public information is in scope. Central bank and regulator leadership. Listed-company CEOs, CFOs, and general counsel. M&A bankers and lead advisors. Sovereign wealth and large pension fund principals. Senior partners at top-tier law firms. Late-stage venture and private equity general partners.
If your firm sits in any of these categories and cannot answer the board questions above, you are not detecting this attack.
The disclosure question
In most jurisdictions, espionage targeting an exchange officer’s mailbox would qualify as a notifiable cyber incident under market integrity rules. Whether that disclosure has happened, or will happen, is an open question.
An exchange that disciplines listed companies for inadequate disclosure now has its own disclosure question to answer.
Bottom line
This is not a story about a careless executive. It is a story about a Global Stock Exchange that failed to protect, a technology and cyber function that let five layers of defence fail in concert across five months, and a security vendor whose threat hunters surfaced only after the dwell was over. It is leadership accountability on both sides of the contract.
For boards of exchanges, regulators, central banks, and any firm sitting on market-moving information, the homework is simple. Read the Symantec write-up. Put the hard questions to management and to the vendor relationship. If you hear excuses, you have your answer about who is running your security programme.
There is no CVE to hide behind. And the longer the silence from the exchange holds, the louder the question becomes about what was in that inbox, and who has seen it.
Sources
- Symantec and Carbon Black’s analysis of the espionage campaign.
- Coverage by The Hacker News.
About the Author
Viren Mantri is a cybersecurity advisor and former senior technology leader across Standard Chartered, UBS, McAfee, and KPMG. After three decades at the intersection of technology, risk, and regulation, he now helps organisations cut through complexity and make better security decisions.
CC-BY Viren Mantri, 2026, licensed under a Creative Commons Attribution 4.0 International License.
Disclaimer: All views expressed here are entirely mine.