ToddyCat's New Hacking Tools Steal Outlook Emails and Microsoft 365 Access Tokens
Summary:
ToddyCat APT has expanded its methods for covert access to internal corporate email. Earlier toolsets focused on extracting browser cookies, credentials, and stored passwords from Chrome, Edge, and Firefox. A newer PowerShell-based variant, deployed on domain controllers, remotely accessed user browser folders via SMB and collected credential material along with DPAPI master keys, allowing offline decryption of cookies, history files, and saved passwords. As monitoring improved, ToddyCat shifted to targeting Outlook OST files using a custom sector-level copying tool called TCSectorCopy, enabling them to copy locked OST files and exfiltrate email content using XstReader. Most recently, the group looked to bypass host-level monitoring entirely by harvesting OAuth 2.0 access tokens from Microsoft 365 processes using SharpTokenFinder or ProcDump. These tokens can authenticate to cloud email directly, enabling attackers to read mail outside the monitored environment.
Security Officer Comments:
ToddyCat’s progression reflects a strategic priority: persistent and stealthy access to corporate communications, even as defenders close visibility gaps. Their move away from noisy browser-file scraping to sector-level file copying and then to token harvesting demonstrates adaptability and a deep understanding of enterprise email flows. The PowerShell TomBerBil variant also highlights operational maturity, running on domain controllers, abusing network shares, and blending with legitimate SMB traffic to evade EDR.The pivot to OAuth token theft is particularly concerning. Access tokens allow attackers to bypass both endpoint monitoring and MFA, granting direct entry into cloud mailboxes. This aligns with a broader trend in state-aligned groups shifting toward identity-based intrusions and cloud-service abuse.
Suggested Corrections:
Link(s):
https://thehackernews.com/2025/11/toddycats-new-hacking-tools-steal.html
ToddyCat APT has expanded its methods for covert access to internal corporate email. Earlier toolsets focused on extracting browser cookies, credentials, and stored passwords from Chrome, Edge, and Firefox. A newer PowerShell-based variant, deployed on domain controllers, remotely accessed user browser folders via SMB and collected credential material along with DPAPI master keys, allowing offline decryption of cookies, history files, and saved passwords. As monitoring improved, ToddyCat shifted to targeting Outlook OST files using a custom sector-level copying tool called TCSectorCopy, enabling them to copy locked OST files and exfiltrate email content using XstReader. Most recently, the group looked to bypass host-level monitoring entirely by harvesting OAuth 2.0 access tokens from Microsoft 365 processes using SharpTokenFinder or ProcDump. These tokens can authenticate to cloud email directly, enabling attackers to read mail outside the monitored environment.
Security Officer Comments:
ToddyCat’s progression reflects a strategic priority: persistent and stealthy access to corporate communications, even as defenders close visibility gaps. Their move away from noisy browser-file scraping to sector-level file copying and then to token harvesting demonstrates adaptability and a deep understanding of enterprise email flows. The PowerShell TomBerBil variant also highlights operational maturity, running on domain controllers, abusing network shares, and blending with legitimate SMB traffic to evade EDR.The pivot to OAuth token theft is particularly concerning. Access tokens allow attackers to bypass both endpoint monitoring and MFA, granting direct entry into cloud mailboxes. This aligns with a broader trend in state-aligned groups shifting toward identity-based intrusions and cloud-service abuse.
Suggested Corrections:
- Organizations heavily reliant on Microsoft 365 should view this as a reminder that email access no longer depends solely on endpoint compromise identity and token security are equally critical.Harden domain controllers and PowerShell usage: Restrict PowerShell execution, tighten scheduled task permissions, and monitor for scripts running from unusual directories. ToddyCat relies heavily on PowerShell on DCs to collect browser data at scale.
- Monitor SMB access to user profiles: Enable auditing for Event ID 5145 to detect remote SMB reads of browser folders, DPAPI key directories, and credential stores. ToddyCat’s collection method depends on silent cross-host SMB access.
- Protect browser credential stores and DPAPI keys: Audit Chrome/Edge/Firefox profile paths and watch for attempts to copy Microsoft\Protect and Microsoft\Credentials folders. These keys allow attackers to decrypt harvested cookies and passwords offline.
- Defend Outlook data and detect low-level file copying: Monitor OST file access, detect sector-level reads via Sysmon Event ID 9, and block unauthorized file-copy tools like TCSectorCopy or ProcDump targeting Office apps.
- Harden identity and token security in Microsoft 365: Monitor OAuth token issuance and unusual token replay activity, enforce conditional access policies, and block unauthorized process-dumping tools used to extract tokens from Outlook or Teams.
Link(s):
https://thehackernews.com/2025/11/toddycats-new-hacking-tools-steal.html