Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Email hijacking via OAuth | Kaspersky official blog

0
Medium
Vulnerability
Published: 07/17/2026 (07/17/2026, 16:18:13 UTC)
Source: Kaspersky Security Blog

Description

The Shadow Token via Remote Debug (STRD) technique is a novel attack method used by the ToddyCat APT to hijack Google Workspace accounts via OAuth 2.0 without stealing passwords or cookies. Attackers deploy malware that covertly launches a headless browser instance using a duplicated user profile to bypass authentication prompts and programmatically authorize OAuth tokens with high privileges. This allows persistent access to the victim's mailbox and resources, surviving password resets and requiring no ongoing endpoint presence. The attack exploits legitimate OAuth workflows and browser debugging features, making detection challenging. Mitigations include resetting passwords, revoking OAuth tokens, restricting browser debugging capabilities, and monitoring for debugging port usage.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/18/2026, 11:38:22 UTC

Technical Analysis

The STRD attack involves malware compromising a victim's machine and using a duplicated browser profile in headless debugging mode to silently perform OAuth authorization flows. The malware impersonates legitimate Google Workspace migration tools to request broad permissions and programmatically approves them via the DevTools protocol. This yields an OAuth token granting persistent access to Google Workspace mailboxes and data, which attackers can use remotely without further endpoint interaction. The technique bypasses two-factor authentication and cookie protections by leveraging legitimate OAuth mechanisms and browser session reuse. Detection can be aided by monitoring browser launches with debugging ports and restricting developer tools availability via group policies.

Potential Impact

Attackers gain persistent, stealthy access to Google Workspace mailboxes and associated resources without needing passwords or active sessions on the victim's device. This access can survive password resets and does not trigger typical security alerts tied to credential theft or malware activity. The compromised OAuth tokens allow attackers to read emails and potentially access other corporate data, facilitating espionage or data exfiltration. The attack undermines two-factor authentication protections by exploiting OAuth authorization flows.

Mitigation Recommendations

A fix is not applicable as this is an attack technique rather than a software vulnerability. Recommended mitigations include resetting affected users' passwords, terminating all active web sessions, revoking OAuth tokens and third-party app permissions, and reviewing legacy app password access. Organizations should restrict the ability of standard users to launch browsers in debugging mode using DeveloperToolsAvailability group policies for Chrome and Edge. Additionally, monitoring for browser instances launched with debugging ports in SIEM/XDR systems can help detect this attack technique. Kaspersky products detect and protect against the Umbrij malware implementing this attack.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Article Source
{"url":"https://www.kaspersky.com/blog/google-oauth-email-hijacking-shadow-token-remote-debug/56144/","fetched":true,"fetchedAt":"2026-07-18T11:38:06.964Z","wordCount":1733}

Threat ID: 6a5b659e2d1edb114c90657a

Added to database: 07/18/2026, 11:38:06 UTC

Last enriched: 07/18/2026, 11:38:22 UTC

Last updated: 07/18/2026, 13:05:20 UTC

Views: 7

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses