The Inbox That Never Stopped Talking
- Javier Conejo del Cerro
- hace 6 días
- 3 min de lectura
A sophisticated espionage operation has revealed how valuable a single executive mailbox can be. For at least five months, unknown attackers maintained access to the Outlook account of a senior executive at a major global stock exchange, quietly exporting emails in small increments and disguising their activity through trusted cloud services. Rather than conducting a smash-and-grab operation, the attackers focused on long-term intelligence collection, gaining visibility into potentially market-moving information, strategic discussions, business relationships, and executive communications.
Phase 1: Initial Compromise and Lateral Movement
The intrusion appears to have originated from a previously compromised system within the victim environment. Although investigators could not determine the original entry vector, the first observed activity dates back to October 2025, when the attackers were already operating with SYSTEM-level privileges on the executive’s workstation.
Two malicious binaries masquerading as legitimate Adobe and OneDrive components provided the attackers with extensive control over the host while remaining hidden among normal system activity.
Phase 2: Establishing Long-Term Persistence
To ensure continued access, the threat actors deployed multiple persistence mechanisms disguised as legitimate services.
Scheduled tasks were configured to appear as trusted Adobe, Lenovo, and OneDrive processes. This camouflage allowed malicious activities to blend into routine endpoint operations while reducing the likelihood of attracting attention from administrators or security monitoring tools.
The attackers also deployed a broader toolkit that included credential theft utilities, privilege escalation tools, tunneling software, and password recovery capabilities.
Phase 3: Mailbox Harvesting Begins
On November 12, 2025, the operation shifted into active intelligence collection.
The attackers deployed a mailbox extraction utility built around Aspose, a legitimate .NET library commonly used to process Outlook OST and PST files. The tool exported mailbox content into PST archives and extracted emails based on specified date ranges.
The first export captured all mailbox contents dating back to August 2025, providing the attackers with a comprehensive historical view of the executive’s communications.
Phase 4: Incremental Intelligence Collection
Instead of repeatedly exporting the entire mailbox, the attackers adopted a much stealthier strategy.
Every two to four weeks they returned and exported only the emails created since the previous extraction. This process continued through February 2026, resulting in nearly continuous surveillance of the victim’s communications.
By collecting only incremental changes, the attackers significantly reduced network traffic volumes and minimized behavioral anomalies that could trigger security alerts.
Phase 5: Cloud-Based Exfiltration
One of the most notable aspects of the campaign was the exfiltration methodology.
Rather than using suspicious command-and-control infrastructure, the attackers relied on trusted consumer cloud services including Dropbox and OneDrive Personal. Data uploads blended naturally with normal business traffic.
To further avoid detection, OneDrive communications were directed to hardcoded Microsoft IP addresses rather than standard OneDrive hostnames, preventing DNS-based monitoring systems from easily identifying the activity.
This approach enabled the theft of sensitive information while hiding within legitimate cloud traffic patterns.
Affected
The primary victim was a senior executive at a major international stock exchange. Individuals in such positions often possess access to highly sensitive information, including regulatory discussions, enforcement matters, merger and acquisition activity, listing information, investor communications, strategic planning documents, executive calendars, and confidential market intelligence.
The value of this information extends far beyond the individual mailbox itself. Continuous access provides adversaries with insight into organizational priorities, upcoming business decisions, external relationships, and potentially market-moving developments.
Breach Method & Stolen Data
Unlike many modern incidents, this attack did not rely on exploiting a newly disclosed vulnerability. Instead, it leveraged compromised access, persistence mechanisms, mailbox export tools, credential theft utilities, and trusted cloud services.
Information potentially exposed includes:
Executive emails
Internal communications
Business negotiations
Regulatory discussions
Calendar entries
Contact lists
Strategic planning information
Market-sensitive documents
User credentials
Stored application passwords
Additional tools discovered during the investigation included FRPC for tunneling, Secretsdump for credential extraction, SharpDecryptPwd for password recovery, and utilities capable of bypassing Windows User Account Control protections.
Measures to Fend Off the Attack
Monitor Outlook mailbox export activity.
Alert on unusual PST creation and archive generation.
Detect uploads to personal Dropbox and OneDrive accounts.
Restrict the use of unsanctioned cloud storage services.
Monitor scheduled task creation and modification.
Audit privileged-user endpoints more frequently.
Detect credential-dumping tools and password recovery utilities.
Implement behavioral analytics for executive accounts.
Monitor unusual outbound traffic to cloud storage providers.
Enforce endpoint detection and response (EDR) coverage on executive workstations.
Conduct regular threat hunting focused on persistence mechanisms.
Review access patterns involving high-value personnel.
Conclusions
This intrusion demonstrates that some of the most damaging cyber-espionage campaigns do not rely on zero-days or ransomware. By quietly maintaining access to a single executive mailbox and extracting information in carefully controlled increments, the attackers obtained a long-term intelligence advantage while remaining largely invisible. The operation highlights the importance of behavioral monitoring, cloud activity visibility, and continuous detection capabilities around high-value users whose communications can reveal the strategic direction of an entire organization.
The Hacker News
Comentarios