Attackers typically begin with a spear-phishing email attack that infects a workstation, or several workstations. The goal of these types of attacks is to maintain access over a period of time undetected. The attackers usually pick up their data at set, rather than random, times. Most attackers camouflage their data getaway by transmitting the stolen goods via an outbound FTP connection. “They will come back and get their data on a schedule,” says a principal with Mandiant.”]
Source: https://www.darkreading.com/attacks-breaches/how-attackers-siphon-data-in-targeted-apt-attacks