The threat actor ToddyCat is using new hacking tools to steal corporate email data, including a custom tool called TCSectorCopy. They aim to obtain OAuth 2.0 authorization tokens from user browsers for accessing corporate mail.
According to Kaspersky, this allows them to access emails outside the compromised infrastructure. ToddyCat has been active since 2020, targeting organizations in Europe and Asia. For more technical details, see the Kaspersky breakdown.
Their previous activities include exploiting a security flaw in ESET Command Line Scanner (CVE-2024-11859) to deploy TCESB malware. You can find information on their prior tactics here and the TCESB malware here.
A PowerShell variant of TomBerBil has also been observed, designed to extract data from Mozilla Firefox. This version operates from domain controllers with privileged access, using SMB to access browser files via shared network resources.
TomBerBil can capture the encryption keys used by Windows Data Protection API (DPAPI) to decrypt stolen data. This allows attackers to access encrypted master keys and user files locally. Information on DPAPI can be found here.
TCSectorCopy (xCopy.exe), a C++ tool, accesses corporate emails in local Microsoft Outlook OST files by reading disk sectors. Once copied, an open-source viewer like XstReader extracts the correspondence content.
ToddyCat also tries to obtain Microsoft 365 access tokens directly from memory using SharpTokenFinder, an open-source C# tool. This enumerates Microsoft 365 applications for plain text authentication tokens.
When security software blocks SharpTokenFinder, the threat actors resort to using ProcDump from the Sysinternals package to dump the Outlook process memory and bypass restrictions.
Kaspersky notes that “The ToddyCat APT group is constantly developing its techniques and looking for those that would hide activity to gain access to corporate correspondence within the compromised infrastructure.”
The persistent targeting of Microsoft 365 access tokens by groups like ToddyCat underscores the critical role these services play in global commerce and communication. Their reliability is paramount, extending beyond mere security breaches to operational stability.
Even non-malicious incidents, such as past global outages stemming from faulty cloud configurations, highlight the fragility of extensive digital infrastructures. Such disruptions demonstrate how deeply organizations depend on consistent access to these platforms.
For more on the widespread impact when core services like Microsoft 365 face operational challenges, including faulty cloud configurations leading to global outages, refer to reporting on such events. Read about a past Microsoft services outage.