Overview
- The attackers kept access to a senior executive’s Outlook mailbox from October 2025 through March 2026, a roughly 150‑day dwell that let them steadily copy messages and calendar entries in small batches.
- The core tool was a wrapper around the legitimate Aspose .NET library that converted the victim’s OST file into PST archives and ran repeated dated extractions to build a near‑continuous copy of the mailbox.
- To blend with normal traffic the intruders exfiltrated PST chunks via Dropbox and OneDrive personal accounts and hardcoded Microsoft IP addresses to avoid DNS logging.
- They maintained persistence by running binaries disguised as Adobe and OneDrive components and re‑registering scheduled tasks under plausible names with rotating intervals to reduce detection.
- Broadcom’s Symantec and Carbon Black published technical details and indicators of compromise but did not name the exchange or attribute the operation, and defenders are urged to ingest the IoCs and watch for the described tradecraft.