ctipilot.ch

Stock-exchange mailbox espionage

campaign · campaign:stock-exchange-mailbox-espionage-2026

Symantec-documented five-month mailbox-espionage intrusion at a global stock exchange: Aspose-based OST stealer with Dropbox/OneDrive exfiltration.

Coverage timeline
1
first 2026-06-04 → last 2026-06-04
Peak priority
notable
1 notable
Sources cited
2
2 hosts
Sections touched
1
research
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
4
pinned v19.1 · see below

Hunting pivots

ATT&CK techniques

4 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Stealth TA0005

T1036.005Masquerading: Match Legitimate Resource Name or Location×1

Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation.

Evidence: 2026-06-04/symantec-five-month-low-and-slow-mailbox-espionage-campaign · ATT&CK page ↗

Credential Access TA0006

T1003.001OS Credential Dumping: LSASS Memory×1

Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material.

Evidence: 2026-06-04/symantec-five-month-low-and-slow-mailbox-espionage-campaign · ATT&CK page ↗

Collection TA0009

T1114.001Email Collection: Local Email Collection×1

Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.

Evidence: 2026-06-04/symantec-five-month-low-and-slow-mailbox-espionage-campaign · ATT&CK page ↗

Exfiltration TA0010

T1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage×1

Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.

Evidence: 2026-06-04/symantec-five-month-low-and-slow-mailbox-espionage-campaign · ATT&CK page ↗

Story timeline

  1. 2026-06-04Symantec: five-month, low-and-slow mailbox-espionage campaign against a global stock exchange
    research

Where this entity is cited

  • research1

Source distribution

  • security.com1 (50%)
  • securityweek.com1 (50%)

explore in graph

Entries about Stock-exchange mailbox espionage (1)

2026-06-04 · view entry permalink →

NOTABLE

Symantec: five-month, low-and-slow mailbox-espionage campaign against a global stock exchange

Broadcom's Symantec and Carbon Black documented a targeted espionage operation (Oct 2025–Mar 2026) against a senior executive at an unnamed global stock exchange (Broadcom/Symantec, 2026-06-03 · SecurityWeek, 2026-06-03). The actor persisted with masqueraded binaries (armsvc.exe, oneservice.exeT1036.005) and scheduled tasks, then ran a custom Aspose-based OST stealer to incrementally exfiltrate the target's entire Outlook mailbox in small batches via the Dropbox API and OneDrive Personal (T1114.001, T1567.002), deliberately using hard-coded Microsoft IP addresses instead of hostnames to defeat DNS-based detection. Tooling also included FRPC, SharpDecryptPwd and Secretsdump (T1003.001). No attribution is offered; the assessed motive is intelligence collection. Detection concepts: scheduled-task creation by non-SYSTEM processes (EID 4698 / Sysmon 12), .ost reads by processes other than Outlook.exe (Sysmon 11), and outbound HTTPS to Dropbox API endpoints from non-browser processes.

research04 Jun 05:00Zmulti-sourceOpen finding ↗