The ToddyCat advanced persistent threat (APT) group has expanded its operations to focus directly on corporate email data. Active since at least 2020, the group has previously targeted government and technology organisations across Europe and Asia. New activity observed from mid-2024 to early 2025 shows that ToddyCat has evolved from traditional credential theft to techniques that enable the extraction of full Outlook email archives and Microsoft 365 access tokens.
Kaspersky researchers documented several new tools involved in these operations. A key addition is TCSectorCopy, a custom C++ utility designed to copy Outlook Offline Storage Table (OST) files even while Outlook is open; instead of accessing the files through Windows in the usual way, the tool reads the disk directly in a sector-by-sector manner, bypassing the file-locking protections that normally prevent this. After obtaining these files, the attackers use tools such as XstReader to view the content of corporate email archives outside the affected environment.
In cloud-based environments such as Microsoft 365, ToddyCat focuses on collecting OAuth 2.0 access tokens, which can grant ongoing access to a user’s mailbox. The group uses SharpTokenFinder to locate tokens stored in browsers or memory. When security tools block direct access, ToddyCat has been observed using ProcDump, a legitimate Windows Sysinternals utility, to extract memory from the running Outlook process and obtain tokens from there instead.
Between May and June 2024, the group also deployed a PowerShell-based version of their TomBerBil malware. This variant runs from domain controllers using privileged accounts and remotely collects browser data from workstations across the network over SMB. Information stolen includes login data, cookies, browsing history, and Windows Data Protection API (DPAPI) keys. With both the encrypted data and the necessary decryption keys, the attackers can fully access the stolen information outside the victim environment.
Why does this matter?
ToddyCat’s recent activity represents a meaningful escalation in their ability to access and retain corporate email data. Email remains one of the most sensitive and business-critical assets for organisations, and the theft of full archives can expose strategic communications, legal discussions, financial information, and personal data.
The group’s focus on OAuth 2.0 access tokens is particularly important. Stolen tokens can allow attackers to read a user’s Microsoft 365 email even if the password is changed, and from locations entirely outside the organisation’s network. This reduces the effectiveness of traditional security controls and highlights the need for stronger oversight of identity and cloud session activity.
The group also makes extensive use of legitimate administrative tools, such as ProcDump and low-level disk readers rather than relying solely on malware. This can make their activity harder to detect with standard security monitoring, underscoring the importance of behavioural detection and good governance around tool usage.
To mitigate risks associated with these techniques, organisations should consider the following steps:
- Monitor unusual file access patterns: Ensure endpoint detection and response (EDR) solutions can detect low-level disk read operations and alert when processes access OST files while Outlook is running.
- Secure domain controllers: Audit privileged access on domain controllers, enable just-in-time administrative access, and monitor for suspicious PowerShell execution or scheduled tasks.
- Control SMB traffic: Log and alert on unusual SMB connections from domain controllers to workstations, as this may indicate remote harvesting of browser data.
- Protect OAuth tokens: Apply conditional access policies in Microsoft 365, restrict token usage based on device compliance and risk, and monitor for unexpected token usage patterns.
- Implement application controls: Restrict or block unauthorised execution of tools capable of memory dumping, such as ProcDump, unless used by approved security teams.
- Strengthen authentication: Adopt phishing-resistant MFA methods (e.g., hardware security keys) and enhanced authentication protections for privileged accounts.
- Maintain offline backups: Ensure that critical email data is backed up in an offline or isolated manner to support recovery if data is compromised.
- Integrate threat intelligence: Use the published indicators of compromise (IOCs) such as file names, paths, hashes, and behavioural indicators in your SIEM, EDR, and threat-hunting processes.
Following these recommendations will help organisations reduce the likelihood of unauthorised access to corporate email and limit exposure to sophisticated threat actors such as ToddyCat.