Symantec: five-month, low-and-slow mailbox-espionage campaign against a global stock exchange

Broadcom's Symantec and Carbon Black documented a targeted espionage operation (Oct 2025–Mar 2026) against a senior executive at an unnamed global stock exchange (Broadcom/Symantec, 2026-06-03 · SecurityWeek, 2026-06-03). The actor persisted with masqueraded binaries (armsvc.exe, oneservice.exe — T1036.005) and scheduled tasks, then ran a custom Aspose-based OST stealer to incrementally exfiltrate the target's entire Outlook mailbox in small batches via the Dropbox API and OneDrive Personal (T1114.001, T1567.002), deliberately using hard-coded Microsoft IP addresses instead of hostnames to defeat DNS-based detection. Tooling also included FRPC, SharpDecryptPwd and Secretsdump (T1003.001). No attribution is offered; the assessed motive is intelligence collection. Detection concepts: scheduled-task creation by non-SYSTEM processes (EID 4698 / Sysmon 12), .ost reads by processes other than Outlook.exe (Sysmon 11), and outbound HTTPS to Dropbox API endpoints from non-browser processes.