Stock Exchange Espionage: Detecting Cloud-Based Mailbox Exfiltration via Dropbox and OneDrive

A recent report from Symantec and the Carbon Black Threat Hunter Team uncovered a chilling example of cyber espionage: unknown attackers maintained unauthorized access to the Outlook mailbox of a senior executive at a major global stock exchange for at least five months.

Unlike typical financially motivated breaches that aim for immediate ransom or fraud, this campaign was characterized by stealth and persistence. The attackers exfiltrated the mailbox contents in small, repeated batches, routing the traffic through legitimate cloud storage services like Dropbox and OneDrive. This technique, often referred to as "living off the land" (LotL) for data exfiltration, allowed the malicious traffic to blend seamlessly with normal executive workflow and authorized cloud application usage, bypassing traditional perimeter controls.

For defenders, this highlights a critical blind spot: the assumption that encrypted traffic to known, trusted SaaS platforms is inherently safe. Security teams must immediately pivot to behavioral monitoring of cloud usage and internal data movements, rather than relying solely on allow-lists.

Technical Analysis

Affected Platforms & Services:

• Primary Target: Microsoft Exchange Online (Outlook Mailbox)
• Exfiltration Vectors: Dropbox API, OneDrive API (or Sync Clients)
• Access Vector: Likely compromised user credentials or OAuth tokens ( phishing or token theft), allowing for Application IMAP/Graph API access.

The Attack Chain:

1. Initial Access: The threat actor obtained access to the executive's account. Given the longevity (5 months) and lack of mention of MFA bypass via vulnerabilities, this strongly suggests token theft or sophisticated phishing that harvested session cookies.
2. Discovery & Staging: The attackers mapped the mailbox structure, identifying high-value folders (Inbox, Sent Items, Archives).
3. Exfiltration (Tactic: T1114.002 / T1567.002): Instead of dumping the entire mailbox in one large archive (which would trigger data loss prevention alerts), the attackers utilized a "low-and-slow" approach.
   • They likely used the Microsoft Graph API or IMAP to iterate through emails in batches.
   • These batches were systematically uploaded to cloud storage (Dropbox/OneDrive). If using a compromised endpoint, this may have involved copying .pst or .msg files into synchronized local folders for Dropbox/OneDrive. If cloud-native, they used the APIs to write data directly to a personal or compromised tenant storage instance.
4. Blending In: By routing traffic to dropboxapi.com or office365.com endpoints, the data exfiltration appeared indistinguishable from legitimate file synchronization operations to network monitoring tools.

Exploitation Status:

• Status: Confirmed Active Exploitation (In-the-wild).
• CVE: This campaign relies on protocol abuse (API/IMAP) and valid credentials rather than a specific software vulnerability (CVE). Therefore, no CVE patch exists for this specific TTP. Defense relies on configuration hardening and behavioral detection.

Detection & Response

Detecting this type of espionage requires correlating identity activity with file movement. Defenders should look for anomalies in the volume of data accessed from Exchange and the subsequent upload patterns to cloud storage.

SIGMA Rules

---
title: Potential Exchange Mailbox Exfiltration via Graph API
id: 8a4b3c21-7d6e-4f9a-bc12-9e8f7a6b5c4d
status: experimental
description: Detects potential mailbox exfiltration by identifying a high volume of specific Exchange Online operations (MailItemsAccessed) followed by file upload activities to personal cloud storage contexts.
references:
  - https://attack.mitre.org/techniques/T1114/002/
author: Security Arsenal
date: 2026/06/12
tags:
  - attack.collection
  - attack.t1114.002
logsource:
  product: o365
  service: exchange
detection:
  selection:
    Operation|contains:
      - 'MailItemsAccessed'
      - 'SearchMailboxes'
  filter_high_volume:
    OperationCount: 10
  timeframe: 1h
condition: selection and filter_high_volume
falsepositives:
  - Legitimate heavy usage by executive assistants or eDiscovery tools
level: high
---
title: Email Archive Upload to Cloud Storage Sync Folder
id: 1b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects the creation or modification of email archive files (.pst, .msg, .ost) within known cloud storage synchronization directories (Dropbox, OneDrive), indicative of manual or scripted exfiltration.
references:
  - https://attack.mitre.org/techniques/T1567/002/
author: Security Arsenal
date: 2026/06/12
tags:
  - attack.exfiltration
  - attack.t1567.002
logsource:
  category: file_create
  product: windows
detection:
  selection_ext:
    TargetFilename|endswith:
      - '.pst'
      - '.msg'
      - '.ost'
  selection_path:
    TargetFilename|contains:
      - '\Dropbox\'
      - '\OneDrive\'
      - '\Google Drive\'
  condition: all of selection_*
falsepositives:
  - Users manually backing up their email
level: medium

KQL (Microsoft Sentinel)

This query correlates heavy mailbox access with subsequent upload events to personal cloud storage, identifying the "batching" behavior described in the report.

// Correlate heavy Exchange Mailbox access with Cloud Storage uploads
let MailboxAccess = 
    OfficeActivity
    | where TimeGenerated > ago(24h)
    | where Operation in ("MailItemsAccessed", "ExportItems", "New-MailboxExportRequest")
    | summarize AccessCount = count() by UserId, bin(TimeGenerated, 10m);
let CloudUploads = 
    DeviceFileEvents
    | where TimeGenerated > ago(24h)
    | where ActionType == "FileCreated"
    | where FileName in ("*.pst", "*.msg", "*.eml")
    | where InitiatingProcessFolderPath contains "Dropbox" 
       or InitiatingProcessFolderPath contains "OneDrive"
       or FolderPath contains "Dropbox" 
       or FolderPath contains "OneDrive"
    | summarize UploadCount = count() by AccountName, bin(TimeGenerated, 10m);
MailboxAccess 
    | join kind=inner (CloudUploads) on $left.UserId == $right.AccountName, TimeGenerated
    | project UserId, TimeGenerated, AccessCount, UploadCount, AccountName
    | order by TimeGenerated desc

Velociraptor VQL

This VQL artifact hunts for Outlook data files being modified or accessed recently within directories that synchronize to the cloud.

-- Hunt for recent Outlook data files in cloud sync directories
SELECT FullPath, Size, Mtime, Atime, Mode
FROM glob(globs="*/Dropbox/*.pst", root=env("HOMEDRIVE") + env("HOMEPATH"))
WHERE Mtime > now() - 7h
UNION ALL
SELECT FullPath, Size, Mtime, Atime, Mode
FROM glob(globs="*/OneDrive/*.msg", root=env("HOMEDRIVE") + env("HOMEPATH"))
WHERE Mtime > now() - 7h

Remediation Script (PowerShell)

Use this script to audit and tighten security controls on Microsoft 365 accounts to mitigate the risk of persistent mailbox access and unauthorized cloud syncing.

# Audit and Harden Exchange Online against Espionage
# Requires ExchangeOnlineManagement module

Write-Host "Connecting to Exchange Online..."
Connect-ExchangeOnline -ShowBanner:$false

# 1. Check for users with non-standard forwarding rules (potential data leak)
Write-Host "Checking for inbox forwarding rules..."
Get-Mailbox -ResultSize Unlimited | ForEach-Object {
    $forwardingRules = Get-InboxRule -Mailbox $_.Identity | Where-Object { $_.ForwardTo -or $_.RedirectTo }
    if ($forwardingRules) {
        Write-Warning "User $($_.PrimarySmtpAddress) has forwarding rules configured."
        $forwardingRules | Select-Object MailboxOwnerId, Name, ForwardTo, RedirectTo
    }
}

# 2. Identify users with Mailbox Auditing disabled
Write-Host "Checking Mailbox Auditing status..."
$users = Get-Mailbox -ResultSize Unlimited
foreach ($user in $users) {
    $auditConfig = Get-Mailbox -Identity $user.Identity | Select-Object AuditEnabled
    if (-not $auditConfig.AuditEnabled) {
        Write-Warning "Auditing disabled for $($user.PrimarySmtpAddress). Enabling..."
        Set-Mailbox -Identity $user.Identity -AuditEnabled $true
    }
}

# 3. Disable Basic Authentication (if still active) to force MFA/Modern Auth
# Note: This is a tenant-wide setting, usually configured in Azure AD, but we can check Auth policies
Write-Host "Reminder: Ensure 'DisableBasicAuth' is enforced in Exchange Online Management Shell."

Disconnect-ExchangeOnline -Confirm:$false
Write-Host "Audit Complete. Review warnings for potential indicators of compromise."

Remediation

Given the stealthy nature of this campaign, immediate remediation requires a combination of technical lockdowns and user verification.

1. Forced Token Revocation: If you suspect a user has been compromised, invalidate all refresh tokens for the user's account via the Azure Portal (Revoke sign-in). This forces re-authentication, disrupting the attacker's persistent access.

2. Restrict OAuth Applications: Implement a strict "Consent" policy for OAuth applications. Require admin consent for applications that request Mail.Read or Mail.ReadWrite permissions. This prevents attackers from registering a malicious app to grant themselves persistent mailbox access.

3. Conditional Access (CA) Policies:

   • Implement CA policies that restrict access to Exchange Online from unmanaged devices or unknown locations.
   • Require "Compliant Device" or "Hybrid Azure AD Joined" status for executives accessing sensitive mail data.

4. Review Cloud Storage Access: Audit logs for Dropbox and OneDrive to identify if there are automated flows (API connections) linked to the compromised user account that are moving data externally.

5. Session Timeouts: Configure Microsoft 365 session timeouts to a shorter duration (e.g., 1 hour) for high-privileged users to reduce the window of opportunity for attackers using stolen sessions.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub