ToddyCat is a sophisticated APT group that has recently enhanced its toolkit to steal corporate email data and Microsoft 365 OAuth 2.0 access tokens. Their custom tool, TCSectorCopy (xCopy.exe), is a C++ program that copies Outlook OST files sector-by-sector by opening the disk as a read-only device, circumventing restrictions that normally prevent access to these files while Outlook is running. Once copied, the OST files are analyzed using XstReader to extract email contents. Additionally, ToddyCat uses SharpTokenFinder, an open-source C# tool, to enumerate Microsoft 365 applications and extract plain text JSON Web Tokens (JWTs) from memory. When security software blocks direct token dumping, the group employs ProcDump from Sysinternals to create memory dumps of the Outlook process, from which tokens can be extracted. The group also deploys a PowerShell variant of TomBerBil malware on domain controllers with privileged access. TomBerBil accesses browser files remotely over SMB, copying encrypted browser data such as cookies and saved credentials. It then captures the necessary DPAPI encryption keys, along with the user's SID and password, to decrypt these files locally. This approach allows ToddyCat to harvest credentials and tokens stealthily, enabling persistent access to corporate email and cloud services. The group has a history of exploiting vulnerabilities, such as CVE-2024-11859 in ESET Command Line Scanner, to deliver malware. Their operations focus on Europe and Asia, targeting organizations with Microsoft 365 and Outlook deployments. The use of scheduled tasks and SMB for lateral movement, combined with advanced token theft techniques, demonstrates a high level of operational sophistication aimed at bypassing perimeter defenses and endpoint protections.

For European organizations, the impact of ToddyCat's activities is significant. The theft of Outlook OST files and Microsoft 365 OAuth tokens compromises the confidentiality and integrity of corporate email communications, potentially exposing sensitive business information, intellectual property, and personal data. Access tokens allow attackers to bypass traditional perimeter defenses and access cloud resources remotely, increasing the risk of data exfiltration, lateral movement, and further compromise of enterprise systems. The ability to decrypt encrypted browser data and credentials can lead to credential theft, enabling persistent access and privilege escalation. Organizations relying heavily on Microsoft 365 and Outlook, which are widely adopted across Europe, face increased risk of targeted attacks that can disrupt business operations and damage reputations. The stealthy nature of these attacks, leveraging legitimate tools like ProcDump and scheduled tasks, complicates detection and response efforts. Additionally, the compromise of domain controllers amplifies the potential damage by providing attackers with high-level access to network resources. Overall, the threat poses a critical risk to data security and operational continuity for European enterprises.

European organizations should implement a multi-layered defense strategy tailored to the specific tactics used by ToddyCat. First, enforce strict least privilege access policies on domain controllers and critical servers to limit the ability of malware to execute with elevated rights. Monitor and restrict the use of scheduled tasks and PowerShell scripts, employing application control and script-blocking policies to detect and prevent unauthorized execution. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying suspicious memory dumping activities, such as the use of ProcDump, and anomalous file access patterns indicative of sector-by-sector copying. Enable logging and alerting on SMB file shares and monitor for unusual access to browser data and Outlook OST files. Implement strong multi-factor authentication (MFA) for Microsoft 365 accounts to reduce the risk posed by stolen OAuth tokens. Regularly audit OAuth token usage and revoke suspicious or stale tokens promptly. Employ network segmentation to isolate domain controllers and sensitive systems, reducing lateral movement opportunities. Conduct regular threat hunting exercises focused on detecting TomBerBil and TCSectorCopy indicators, and maintain up-to-date threat intelligence feeds. Finally, educate users about phishing and social engineering tactics that may facilitate initial compromise, as ToddyCat often relies on gaining initial footholds through credential theft.