Full Report
Unknown attackers stole a senior executive's Outlook mailbox in incremental batches, exfiltrating through Dropbox and OneDrive Personal to keep the traffic indistinguishable from legitimate activity.
Analysis Summary
# Incident Report: Five-Month Mailbox Espionage Campaign
## Executive Summary
A highly disciplined espionage campaign targeted a senior executive at a global stock exchange, maintaining persistent access to their Outlook mailbox for five months. The attackers used legitimate cloud services like Dropbox and OneDrive to exfiltrate data in incremental batches, successfully blending in with legitimate network traffic. The operation concluded in mid-2026 after the attackers systematically harvested non-public financial intelligence and executive communications.
## Incident Details
- **Discovery Date:** Approximately June 3, 2026 (Public disclosure)
- **Incident Date:** October 10, 2025 – May 2026
- **Affected Organization:** Major Global Stock Exchange (Company name withheld)
- **Sector:** Financial Services / Market Infrastructure
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-October 10, 2025
- **Vector:** Unknown (Attackers already had SYSTEM-level access by the first observation)
- **Details:** Attackers established a foothold with two masquerading binaries (`armsvc.exe` and `oneservice.exe`) running as SYSTEM services.
### Lateral Movement
- **Movement:** Limited. The attackers focused primarily on "living off the land" on the executive's host to maintain a low profile. They utilized `bypassuac.exe` and `secretsdump` to solidify their presence and ensure continued access to the profile's data.
### Data Exfiltration/Impact
- **Activity:** On November 12, 2025, the attackers began using a dedicated Dropbox API token for exfiltration.
- **Process:** They used an Aspose-based mailbox stealer to parse the Outlook OST file, extracting specific date ranges of emails into incremental batches.
- **Scope:** Complete theft of the executive’s Outlook profile, including emails, contacts, calendars, and travel plans.
### Detection & Response
- **Discovery:** Identified through threat hunting and behavioral analysis of suspicious scheduled tasks and unusual cloud API calls.
- **Response:** Remedial actions included terminating malicious scheduled tasks, deleting masquerading binaries, and revoking compromised cloud API tokens.
## Attack Methodology
- **Initial Access:** Unknown.
- **Persistence:** Created 5-minute scheduled tasks masquerading as Adobe Acrobat Update services and Lenovo Health Checks.
- **Privilege Escalation:** Achieved local SYSTEM privileges via unknown means prior to discovery; used `bypassuac.exe`.
- **Defense Evasion:** Masqueraded file names (`armsvc.exe`, `oneservice.exe`), used legitimate cloud APIs (Dropbox/OneDrive), and utilized public/commercial tools to avoid attribution.
- **Credential Access:** Used `SharpDecryptPwd` and `secretsdump`.
- **Discovery:** Local reconnaissance of file paths and Outlook OST locations.
- **Lateral Movement:** Minimal (Targeted single-host espionage).
- **Collection:** Used a custom Aspose-based OST parser to extract mailbox data.
- **Exfiltration:** Data was uploaded to Dropbox and OneDrive via `curl` using persistent API tokens.
- **Impact:** Strategic espionage and theft of non-public market information.
## Impact Assessment
- **Financial:** High potential impact (access to non-public listings and enforcement data).
- **Data Breach:** Full compromise of a senior executive’s mailbox (5 months of correspondence).
- **Operational:** Low immediate disruption, as the attack was designed to be silent.
- **Reputational:** Significant risk to the exchange's role as a trusted market regulator.
## Indicators of Compromise
- **File Hashes (SHA-256):**
- `8c0871cd0f60bc603424e948a689945a1828d0bef926a6470ae18cf17d93f7cb` (armsvc.exe)
- `22f335a65c479c26019f6187dae290624117c82a702a96acbb04fa325f730d3e` (oneservice.exe)
- `db59813e3f27fb8608a4876e758f60b69d9700dc22d15237ac095bb3166fb622` (Mailbox Stealer)
- **Behavioral Indicators:**
- `curl` commands interacting with `api.dropbox[.]com` from executive workstations.
- Scheduled tasks in `\Microsoft\Windows\Lenovo\` or `\Microsoft\Windows\Adobe\` executing .bat files from `C:\windows\temp\`.
## Response Actions
- **Containment:** Revoked Dropbox and OneDrive API tokens used by the attackers.
- **Eradication:** Deleted malicious binaries and removed unauthorized scheduled tasks.
- **Recovery:** Full password resets and session revocations for the affected executive; hardened endpoint monitoring.
## Lessons Learned
- **Visibility Gaps:** Long-term persistence was possible because the traffic blended with legitimate cloud service usage.
- **Targeting:** Senior executives are high-value targets who require bespoke security monitoring (VIP protection).
- **Tooling:** Attackers are moving away from custom malware toward legitimate commercial libraries (Aspose) and public tools to evade signature-based detection.
## Recommendations
- **Cloud Monitoring:** Implement CASB (Cloud Access Security Broker) to monitor and alert on unauthorized API calls to personal storage services from corporate assets.
- **Endpoint Hardening:** Audit and restrict the creation of scheduled tasks by non-administrative users and monitor the execution of scripts from `C:\windows\temp\`.
- **Behavioral Analytics:** Set alerts for large-scale data transfers or repetitive `curl` activity targeting public URLs.
- **Executive Protection:** Implement stricter application allow-listing and enhanced auditing on "VIP" workstations.