Email hijacking via OAuth | Kaspersky official blog
The Shadow Token via Remote Debug (STRD) technique is a novel attack method used by the ToddyCat APT to hijack Google Workspace accounts via OAuth 2.0 without stealing passwords or cookies. Attackers deploy malware that covertly launches a headless browser instance using a duplicated user profile to bypass authentication prompts and programmatically authorize OAuth tokens with high privileges. This allows persistent access to the victim's mailbox and resources, surviving password resets and requiring no ongoing endpoint presence. The attack exploits legitimate OAuth workflows and browser debugging features, making detection challenging. Mitigations include resetting passwords, revoking OAuth tokens, restricting browser debugging capabilities, and monitoring for debugging port usage.
AI Analysis
Technical Summary
The STRD attack involves malware compromising a victim's machine and using a duplicated browser profile in headless debugging mode to silently perform OAuth authorization flows. The malware impersonates legitimate Google Workspace migration tools to request broad permissions and programmatically approves them via the DevTools protocol. This yields an OAuth token granting persistent access to Google Workspace mailboxes and data, which attackers can use remotely without further endpoint interaction. The technique bypasses two-factor authentication and cookie protections by leveraging legitimate OAuth mechanisms and browser session reuse. Detection can be aided by monitoring browser launches with debugging ports and restricting developer tools availability via group policies.
Potential Impact
Attackers gain persistent, stealthy access to Google Workspace mailboxes and associated resources without needing passwords or active sessions on the victim's device. This access can survive password resets and does not trigger typical security alerts tied to credential theft or malware activity. The compromised OAuth tokens allow attackers to read emails and potentially access other corporate data, facilitating espionage or data exfiltration. The attack undermines two-factor authentication protections by exploiting OAuth authorization flows.
Mitigation Recommendations
A fix is not applicable as this is an attack technique rather than a software vulnerability. Recommended mitigations include resetting affected users' passwords, terminating all active web sessions, revoking OAuth tokens and third-party app permissions, and reviewing legacy app password access. Organizations should restrict the ability of standard users to launch browsers in debugging mode using DeveloperToolsAvailability group policies for Chrome and Edge. Additionally, monitoring for browser instances launched with debugging ports in SIEM/XDR systems can help detect this attack technique. Kaspersky products detect and protect against the Umbrij malware implementing this attack.
Email hijacking via OAuth | Kaspersky official blog
Description
The Shadow Token via Remote Debug (STRD) technique is a novel attack method used by the ToddyCat APT to hijack Google Workspace accounts via OAuth 2.0 without stealing passwords or cookies. Attackers deploy malware that covertly launches a headless browser instance using a duplicated user profile to bypass authentication prompts and programmatically authorize OAuth tokens with high privileges. This allows persistent access to the victim's mailbox and resources, surviving password resets and requiring no ongoing endpoint presence. The attack exploits legitimate OAuth workflows and browser debugging features, making detection challenging. Mitigations include resetting passwords, revoking OAuth tokens, restricting browser debugging capabilities, and monitoring for debugging port usage.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The STRD attack involves malware compromising a victim's machine and using a duplicated browser profile in headless debugging mode to silently perform OAuth authorization flows. The malware impersonates legitimate Google Workspace migration tools to request broad permissions and programmatically approves them via the DevTools protocol. This yields an OAuth token granting persistent access to Google Workspace mailboxes and data, which attackers can use remotely without further endpoint interaction. The technique bypasses two-factor authentication and cookie protections by leveraging legitimate OAuth mechanisms and browser session reuse. Detection can be aided by monitoring browser launches with debugging ports and restricting developer tools availability via group policies.
Potential Impact
Attackers gain persistent, stealthy access to Google Workspace mailboxes and associated resources without needing passwords or active sessions on the victim's device. This access can survive password resets and does not trigger typical security alerts tied to credential theft or malware activity. The compromised OAuth tokens allow attackers to read emails and potentially access other corporate data, facilitating espionage or data exfiltration. The attack undermines two-factor authentication protections by exploiting OAuth authorization flows.
Mitigation Recommendations
A fix is not applicable as this is an attack technique rather than a software vulnerability. Recommended mitigations include resetting affected users' passwords, terminating all active web sessions, revoking OAuth tokens and third-party app permissions, and reviewing legacy app password access. Organizations should restrict the ability of standard users to launch browsers in debugging mode using DeveloperToolsAvailability group policies for Chrome and Edge. Additionally, monitoring for browser instances launched with debugging ports in SIEM/XDR systems can help detect this attack technique. Kaspersky products detect and protect against the Umbrij malware implementing this attack.
Technical Details
- Article Source
- {"url":"https://www.kaspersky.com/blog/google-oauth-email-hijacking-shadow-token-remote-debug/56144/","fetched":true,"fetchedAt":"2026-07-18T11:38:06.964Z","wordCount":1733}
Threat ID: 6a5b659e2d1edb114c90657a
Added to database: 07/18/2026, 11:38:06 UTC
Last enriched: 07/18/2026, 11:38:22 UTC
Last updated: 07/18/2026, 13:05:20 UTC
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.