Unknown threat actors maintained covert access to a senior stock exchange executive’s Outlook mailbox for at least five months, quietly exfiltrating email data in small batches to evade detection. The stolen data was routed through legitimate cloud storage services — Dropbox and OneDrive — to blend with normal business traffic. Symantec and Carbon Black attribute the campaign to espionage, suggesting a nation-state or sophisticated threat actor targeting financial sector intelligence.

Architect’s Take: Review Microsoft 365 audit logs and Conditional Access policies for unusual mailbox delegation, mail forwarding rules, or OAuth app consents — particularly any third-party app with access to Mail.Read scopes. Implement Cloud App Security (Defender for Cloud Apps) policies to alert on bulk email access or large data transfers to consumer cloud storage services such as Dropbox and OneDrive.

Original advisory: Hackers Spied on a Stock Exchange Executive’s Outlook Mailbox for Five Months

Unknown threat actors maintained covert access to a senior stock exchange executive’s Microsoft Outlook mailbox for at least five months, systematically exfiltrating email data in small batches to avoid detection. The stolen data was routed through Dropbox and OneDrive to blend with legitimate cloud traffic, making it harder for security tools to flag the activity. The campaign bears the hallmarks of a state-sponsored or sophisticated espionage operation targeting high-value financial intelligence.

Architect’s Take: Review Microsoft 365 audit logs and Defender for Cloud Apps policies for anomalous mail export activity, particularly incremental inbox syncs or delegated access from unfamiliar locations — and enforce conditional access policies that restrict OAuth app permissions for third-party cloud storage providers such as Dropbox and OneDrive to prevent data staging and exfiltration via trusted cloud channels.

Original advisory: Hackers Spied on a Stock Exchange Executive’s Outlook Mailbox for Five Months

A debug flag accidentally left enabled in production builds of multiple Microsoft 365 Android apps disabled a security check that restricts account token sharing to trusted Microsoft applications. As a result, any app installed on the same Android device could silently request and receive the signed-in user’s authentication token, granting full access to email, files, calendar, and the ability to send messages on their behalf. No user interaction, credentials, or elevated permissions were required to exploit this.

Architect’s Take: Audit your mobile application management (MAM) and Conditional Access policies to ensure app-based controls are enforced at the resource level and are not solely reliant on client-side token handling. Until Microsoft confirms a fully patched build is deployed, consider enforcing Continuous Access Evaluation (CAE) and restricting M365 access on Android to Intune-managed devices with compliant app versions.

Original advisory: Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag

A debug flag accidentally left enabled in production builds of multiple Microsoft 365 Android apps disabled the trust check that normally restricts account-token sharing to authorised Microsoft applications. As a result, any app installed on the same Android device could silently request and receive a valid authentication token, granting full access to the victim’s email, files, calendar, and messaging without any user interaction or additional permissions. The flaw affects any user running a vulnerable Microsoft 365 Android app while also having a malicious or compromised app on the same device.

Architect’s Take: Mandate immediate updates to all affected Microsoft 365 Android apps across your managed device estate via your MDM/UEM solution, and review Conditional Access policies to detect anomalous token usage or unexpected app sign-ins. Consider temporarily blocking unmanaged Android devices from accessing Microsoft 365 resources until patched app versions are confirmed deployed.

Original advisory: Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag