The Dark Reading account this week frames months of executive surveillance at a global stock exchange as evidence of patient, state-level tradecraft; the tooling recovered from the host was Windows Management Instrumentation subscriptions, scheduled tasks, and native scripting binaries, the same stack a domain administrator runs during a software push. Those tools ship with Windows. They carry no malware signature, and no endpoint detection product issued an alert because none was configured to flag native tooling on a named individual's workstation as anomalous. That is the oversight, not the tradecraft.

MAS Technology Risk Management Guidelines require continuous monitoring for anomalous activity. The word "anomalous" is doing the heavy lifting. WMI subscriptions and scheduled tasks inside an enterprise domain are normal IT operations; their event log entries are indistinguishable whether they represent a persistence mechanism or a software update, and no behavioral baseline makes that distinction automatically without deliberate tuning against the specific host profile. HKMA Cybersecurity Fortification Initiative 2.0 entered mandatory compliance assessment for Category 1 authorized institutions on 1 January 2026 with an explicit threat-hunting program requirement; independent assessment submissions to HKMA are due 30 June 2026, and whether those submissions describe adversary simulation against living-off-the-land technique classes or a product configuration walkthrough will determine whether CFI 2.0 is generating detection capability or generating paperwork.