Stock Exchange Executive’s Outlook Account Targeted to Exfiltrate Credentials

Symantec and Carbon Black uncovered a months-long targeted espionage campaign (Oct 2025–Mar 2026) in which attackers persisted on a stock exchange executive’s endpoint using SYSTEM‑level masquerading binaries, extracted the victim's offline Outlook mailbox via an Aspose-based tool, and exfiltrated data through Dropbox and OneDrive (including direct-to-IP DNS bypass). The disclosure documents the attack chain, multiple deployed binaries and a DLL, numerous SHA256 IoCs, hard-coded Microsoft IPs, filenames for extraction runs, and defensive recommendations such as monitoring scheduled task creation, restricting cloud storage API egress, and enabling behavioral alerts for Outlook storage access.