Someone maintained persistent read access to a stock exchange executive's mailbox for five months without triggering a detection alert, according to a disclosure published Thursday by The Hacker News. The exchange is not named. Five months of uninterrupted access means the attacker survived at least one password cycle or session token refresh, which is to say the initial access method held, or was refreshed, repeatedly, and the email security stack logged nothing actionable. The vendor framing for this class of compromise is "nation-state dwell time." The artifacts show a mailbox.

The Microsoft 365 authentication flaw disclosed this week by Dark Reading is context that makes the five-month timeline structurally coherent: the authentication layer for Word, PowerPoint, and Excel was vulnerable to account takeover without a conventional credential-harvest operation, which describes a class of initial access that phishing controls and most FSI security operations center tooling would not have surfaced. MAS TRM 2021 requires anomaly detection on privileged account access. A stock exchange executive's mailbox is a privileged account. The exchange's incident notification to its home regulator will specify either a confirmed initial access date or "undetermined"; which of those words appears is the only disclosure that matters.