Unknown threat actors maintained covert access to a senior stock exchange executive’s Outlook mailbox for at least five months, quietly exfiltrating email data in small batches to evade detection. The stolen data was routed through legitimate cloud storage services — Dropbox and OneDrive — to blend with normal business traffic. Symantec and Carbon Black attribute the campaign to espionage, suggesting a nation-state or sophisticated threat actor targeting financial sector intelligence.

Architect’s Take: Review Microsoft 365 audit logs and Conditional Access policies for unusual mailbox delegation, mail forwarding rules, or OAuth app consents — particularly any third-party app with access to Mail.Read scopes. Implement Cloud App Security (Defender for Cloud Apps) policies to alert on bulk email access or large data transfers to consumer cloud storage services such as Dropbox and OneDrive.

Original advisory: Hackers Spied on a Stock Exchange Executive’s Outlook Mailbox for Five Months

Unknown threat actors maintained covert access to a senior stock exchange executive’s Microsoft Outlook mailbox for at least five months, systematically exfiltrating email data in small batches to avoid detection. The stolen data was routed through Dropbox and OneDrive to blend with legitimate cloud traffic, making it harder for security tools to flag the activity. The campaign bears the hallmarks of a state-sponsored or sophisticated espionage operation targeting high-value financial intelligence.

Architect’s Take: Review Microsoft 365 audit logs and Defender for Cloud Apps policies for anomalous mail export activity, particularly incremental inbox syncs or delegated access from unfamiliar locations — and enforce conditional access policies that restrict OAuth app permissions for third-party cloud storage providers such as Dropbox and OneDrive to prevent data staging and exfiltration via trusted cloud channels.

Original advisory: Hackers Spied on a Stock Exchange Executive’s Outlook Mailbox for Five Months

Russian state-linked threat group Gamaredon is actively exploiting CVE-2025-8088, a path traversal vulnerability in WinRAR, to deploy a chain of malware against Ukrainian targets. The attack begins with an HTML Application payload (GammaPhish) which then downloads further malware including GammaWorm and GammaSteel, designed for data theft and lateral propagation. This is a targeted, state-sponsored campaign with significant implications for organisations operating in or with Ukraine.

Architect’s Take: Ensure WinRAR is patched to a version addressing CVE-2025-8088 across all endpoints, and consider blocking HTA file execution via AppLocker or Windows Defender Application Control policies. Cloud-connected environments should review egress controls and data exfiltration detection rules, particularly for workloads with access to sensitive data stores.

Original advisory: Gamaredon Exploits WinRAR to Deliver GammaWorm and GammaSteel Against Ukraine