ToddyCat expands toolset to steal Outlook data and Microsoft 365 access tokens

The group has introduced new methods to extract emails and authentication material from compromised networks.

What happened

According to The Hacker News,  the threat group known as ToddyCat is using new tools and techniques to access corporate email data, including a custom utility named TCSectorCopy that extracts Outlook OST files at the disk level. The company observed campaigns in which ToddyCat also captured Microsoft 365 access tokens by abusing OAuth flows and browser data.

Going deeper

ToddyCat has been active since 2020 and is known for targeting organizations across Europe and Asia. Recent activity included a PowerShell variant of the group’s TomBerBil malware, which previously existed in C++ and C#. The PowerShell version operated from domain controllers with elevated privileges and harvested browser artifacts such as history, cookies, and saved credentials through network shares using SMB. Investigators found that ToddyCat used scheduled tasks to deploy the tool and collected DPAPI encryption keys, allowing the attackers to decrypt copied browser data offline. The group also continued exploiting CVE-2024-11859 in ESET’s command line scanner to deliver additional payloads, including previously undocumented modules.

What was said

Researchers noted that TCSectorCopy, written in C++, copies Outlook OST files by reading disk sectors directly, circumventing restrictions that normally prevent access while Outlook is running. Once obtained, the attackers used XstReader to extract mailbox contents. The firm also observed attempts to extract Microsoft 365 JSON web tokens through SharpTokenFinder, an open source tool that enumerates applications for plaintext authentication tokens. In one case, defensive software blocked this activity, and the operator pivoted to the Sysinternals ProcDump utility to acquire a dump of Outlook.exe and recover the tokens manually. Analysts said ToddyCat continues to refine techniques that allow discreet access to email correspondence and authentication material.

The big picture

According to OffSeq’s analysis, the impact of ToddyCat’s new tooling is potentially far-reaching. The report notes that “compromise of Outlook emails can lead to exposure of sensitive communications, intellectual property, and personally identifiable information,” putting organizations at risk of GDPR violations and other regulatory consequences. OffSeq also warns that the theft of Microsoft 365 access tokens “enables attackers to maintain persistent access, bypass multi-factor authentication, and escalate privileges,” which raises the likelihood of broader data exposure and operational disruption. Because stolen tokens can unlock multiple Microsoft 365 services including SharePoint, OneDrive, and Teams, the report cautions that organizations, especially those with hybrid or cloud-based environments, may face more risk.

FAQs

Why do attackers target OST files?

OST files contain full or partial copies of Exchange and Microsoft 365 mailboxes, allowing attackers to review communication history without maintaining live access to mail servers.

How does disk-level copying bypass application locks?

Direct sector reads do not rely on operating system file handles, so an attacker can access data even when Outlook has the file open.

Why are DPAPI keys valuable to threat actors?

The keys allow decryption of browser-stored passwords and cookies, which can reveal session information and access tokens for cloud applications.

What makes OAuth tokens an attractive target?

Tokens can authorize access to cloud resources without needing a password, especially in environments where multi-factor authentication is enforced.

How can organizations reduce exposure to these techniques?

They can apply least privilege controls on domain controllers, restrict scheduled task creation, monitor for unauthorized tool execution, and enforce policies that limit local storage of sensitive authentication material.