Key Points
- Threat actors compromised the Outlook account of a senior executive at a global stock exchange and quietly collected sensitive data.
- The intrusion occurred in October 2025, with the threat actor retaining access to the Outlook mailbox until March 2026.
- IANS Faculty recommend treating executive accounts as high-value assets, tightening controls on C-suite access, and focusing detection on long-term, low-and-slow adversary behavior.
Hackers Target Stock Exchange Executive in Months-Long Espionage Operation
Threat actors gained access to the email account of a senior executive at an unnamed major global stock exchange to quietly exfiltrate sensitive data for months.
The intrusion occurred in October 2025, with the attackers retaining access to the Outlook mailbox until March 2026, for a dwell time of roughly 150 days, per Broadcom’s Symantec and Carbon Black threat hunting teams.
The initial compromise vector remains unknown, but the first signs of malicious activity appeared on Oct. 10, when malware was running on the compromised host, hiding as Adobe and OneDrive applications.
The threat actors established command-and-control (C2) on Nov. 12, when they also began collecting and exfiltrating data. To avoid suspicion, the attackers used Dropbox and OneDrive to exfiltrate the files in small batches at a time.
“For an espionage actor, a senior executive’s mailbox is a high-value intelligence target. An Outlook profile may yield details of external negotiations, internal deliberations, the executive’s calendar, travel pattern, and their contacts,” the researchers said.
Big Picture
Threat actors can access sensitive, market-moving information just by compromising an executive’s inbox, often through simple attack vectors like phishing. This breach is a reminder that attackers don’t need zero-days to gain entry.
“Five months of access, commands aimed at collection rather than cash, and zero infrastructure reuse, which is why nobody can attribute it. This is state-grade tradecraft, and the patience is the point. Loud crews get caught; quiet ones get a quarter of your strategy.” Jeff Brown, IANS Faculty.
Executive accounts and those of adjacent roles like administrators or assistants should therefore be treated as crown jewel assets with dedicated protection, monitoring and detection.
“If an adversary wants to understand your organization, your executives are often one of the most efficient paths to that intelligence. Sometimes the most valuable assets are the people making the decisions.” Lisa Perdelwitz, IANS Faculty.
IANS Faculty Recommendations
- Protect exec accounts like critical assets: Convenience exceptions granted to the C-suite (looser MFA, mailbox auto-forwarding, personal-device sync) are the attack surface. The higher the seat, the tighter the controls should be.
- Think beyond execs: Which other employees in your organization should be deemed "high-value intelligence targets?" What other processes should be in place to protect those targets both proactively and reactively?
- Treat company-sanctioned cloud services as exfil infrastructure: Baseline executive egress to cloud accounts (Dropbox, OneDrive) and alert on volume that doesn't match average humans.
- Hunt for the squatter: Build hunts around dwell behavior like scheduled tasks, masquerading binaries and steady low-volume outbound traffic.
Authors & Contributors
Nuria Diaz Munoz, Author, IANS News
Lisa Perdelwitz, IANS Faculty
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our News & blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.