ToddyCat is an advanced persistent threat (APT) group that has evolved its attack methods to gain covert and persistent access to corporate email systems. Their recent campaign employs a suite of specialized tools and techniques designed to extract sensitive data from both on-premises and cloud-based email environments. Key tools include TomBerBil, a PowerShell-based utility used to extract browser data, which may contain credentials or session information useful for lateral movement or privilege escalation. TCSectorCopy is another tool used to copy Outlook OST files, which store offline cached copies of Exchange mailboxes, allowing attackers to access email content without direct server interaction. Additionally, ToddyCat targets Microsoft 365 processes to steal OAuth tokens, enabling them to impersonate users and access cloud email data stealthily. The group uses SMB protocols to remotely access files on network shares, dumps process memory to extract credentials or tokens, and searches for access tokens in memory to maintain persistence and evade detection. These tactics align with MITRE ATT&CK techniques such as credential dumping (T1003), email data collection (T1114.001), and token theft (T1555.003). The attackers’ ability to bypass conventional security monitoring and access both on-premises and cloud email data makes this threat particularly concerning. Detection recommendations include monitoring for unusual PowerShell activity, anomalous SMB file access, memory dumping behaviors, and suspicious OAuth token usage. While no CVEs or known exploits are currently associated with these tools, the threat represents a sophisticated espionage capability targeting email confidentiality and integrity.

For European organizations, the ToddyCat APT poses a significant risk to the confidentiality and integrity of corporate email communications, which often contain sensitive business, legal, and personal information. Successful compromise could lead to data exfiltration, intellectual property theft, and exposure of strategic communications. The ability to steal OAuth tokens and access Microsoft 365 cloud mailboxes increases the attack surface and complicates incident response, as attackers can operate remotely and persistently. This threat could disrupt business operations by undermining trust in email systems and potentially enabling further lateral movement within networks. Organizations in sectors such as finance, government, legal, and critical infrastructure are particularly vulnerable due to the high value of their email data. The medium severity rating reflects the targeted nature and technical sophistication, requiring skilled attackers and some level of initial access or foothold within the network. However, the lack of known widespread exploitation currently limits immediate impact but warrants proactive defense measures.

European organizations should implement a multi-layered defense strategy tailored to the specific tactics used by ToddyCat. First, enforce strict PowerShell logging and enable script block logging to detect suspicious activity related to TomBerBil. Monitor SMB traffic for unusual file access patterns, especially attempts to copy OST files or access email-related directories remotely. Deploy endpoint detection and response (EDR) solutions capable of detecting memory dumping and token theft behaviors. Regularly audit and restrict permissions on Outlook OST files and network shares to limit unauthorized access. Implement conditional access policies and multi-factor authentication (MFA) for Microsoft 365 accounts to reduce the risk of OAuth token abuse. Use Microsoft Cloud App Security or equivalent tools to monitor OAuth token usage and detect anomalies. Conduct regular threat hunting exercises focused on indicators of compromise such as the provided file hashes and behavioral patterns. Finally, educate users and administrators about the risks of phishing and credential theft, as initial access vectors often involve social engineering. Applying these targeted controls will help detect and prevent ToddyCat’s covert email data theft techniques.