Espionage Campaign Exfiltrates Senior Executive Email from Global Stock Exchange Over Five Months
What Happened — An unknown threat actor infiltrated the Microsoft Outlook mailbox of a senior executive at a major global stock exchange and covertly copied email contents for at least five months. The stolen data was exfiltrated in small batches via legitimate cloud‑storage services (Dropbox and OneDrive) to blend with normal traffic.
Why It Matters for TPRM —
- Executive‑level email compromise can reveal strategic market insights, merger‑and‑acquisition plans, and regulatory communications.
- The use of trusted cloud services for exfiltration evades many traditional data‑loss‑prevention controls, increasing supply‑chain risk for downstream partners.
- Persistent access indicates a sophisticated, possibly state‑backed actor, raising the threat profile of any vendor that handles privileged communications.
Who Is Affected — Financial Services (stock exchanges, brokerage firms, asset managers) and any third‑party service providers that host or transmit executive communications.
Recommended Actions —
- Review all vendor contracts that involve privileged email access or cloud‑storage integration.
- Enforce MFA and conditional access policies for high‑value accounts.
- Deploy mailbox activity monitoring and anomaly detection for large‑volume or off‑hour data transfers.
- Conduct a forensic review of any shared cloud‑storage links used by executives.
Technical Notes — Attack vector appears to be credential compromise or session hijacking; no specific CVE was disclosed. Data exfiltrated included full email headers, bodies, and attachments. Exfiltration was staged through legitimate Dropbox and OneDrive accounts to mask traffic. Source: The Hacker News