ToddyCat APT Steals Microsoft 365 Cloud Email by Dumping OAuth Tokens from Memory and Copying Locked OST Files
Ddos 
Kaspersky Lab has published new findings revealing how the ToddyCat APT group has significantly upgraded its cyber-espionage toolkit to infiltrate corporate email systems—both on-premises and in the cloud—by stealing browser data, Outlook mail archives, and even OAuth 2.0 access tokens from Microsoft 365.
Kaspersky warns that although organizations often assume cloud infrastructure provides superior isolation, “this does not stop highly organized espionage groups like the ToddyCat APT group.”
The report documents espionage incidents spanning late 2024 through early 2025, showing a clear strategic evolution toward covert email access outside the victim’s monitored environment.
One of the most striking discoveries is a new PowerShell-based variant of TomBerBil, ToddyCat’s long-running browser-credential theft framework. While older versions were written in C# and C++, the updated tool:
- Runs directly on domain controllers,
- Uses privileged user accounts,
- Harvests browser files across the network via SMB, and
- Supports Chrome, Edge, and Firefox.
Kaspersky writes: “Analysis of incidents from May to June 2024 revealed a new variant implemented in PowerShell… executed on domain controllers on behalf of a privileged user.”
The script retrieves hostnames from a file (uhosts.txt) and connects to each machine’s c$ share to copy:
- Cookies
- Login Data
- History
- Local State files
- DPAPI master key directories
- Firefox profile data
ToddyCat then extracts the master keys used for browser encryption, granting full offline decryption capabilities. As Kaspersky highlights: “These keys, combined with the user’s SID and password, grant the attackers the ability to decrypt all the copied files locally.” This shift toward multi-host browser harvesting indicates deeper lateral movement and credential-access objectives.
In cases where defensive monitoring detected TomBerBil’s behavior, ToddyCat pivoted to a more forensic-style approach: stealing users’ Outlook OST files directly from disk—even while they were locked by Outlook.
To achieve this, the attackers deployed a custom C++ tool named TCSectorCopy, designed for low-level, block-by-block copying.
Kaspersky explains: “This tool is designed for block-by-block copying of files that may be inaccessible by applications or the operating system, such as files that are locked while in use.”
How the OST Theft Works
- TCSectorCopy is executed with the path to the user’s OST file.
- The tool opens the underlying disk device for raw read operations.
- It copies the OST file—even if Outlook is actively locking it.
- A second tool, XstReader, exports the email contents into HTML, TXT, and RTF formats.
- The stolen emails and attachments are archived and exfiltrated.
Kaspersky confirms: “After exporting the data from the OST file, the attackers review the list of obtained files, collect those of interest into an archive, and exfiltrate it.” This technique bypasses application-level monitoring and gives ToddyCat full access to multi-year mailbox archives.
Perhaps the most concerning evolution is ToddyCat’s new method for accessing cloud email without touching endpoint storage.
Some victim organizations were using Microsoft 365; the attackers responded by targeting OAuth 2.0 tokens stored in the memory of Outlook and other Office apps. These tokens allow IMAP/Graph API access from any device.
Kaspersky writes: “The attackers’ next step was gaining access to email outside the hosts where monitoring was being performed… The attackers attempted to obtain the access token that resides in the memory of processes utilizing this cloud service.”
ToddyCat first attempted token extraction using SharpTokenFinder, a C# tool that scans process memory dumps for JWT patterns.
It searches processes including:
OUTLOOK
TEAMS
WORD
POWERPNT
EXCEL
ONEDRIVE
SHAREPOINT
The tool looks for the distinctive JWT prefix eyJ0eX, since “the first 18 characters of the encoded token will always be the same.”
In one case, endpoint protection blocked SharpTokenFinder, so the operator switched to Sysinternals ProcDump:
After obtaining the token, ToddyCat could access cloud-stored email outside the organization’s security perimeter, bypassing monitoring entirely.
Kaspersky’s findings confirm that ToddyCat is aggressively expanding beyond endpoint-centric espionage:
- From local browser theft → to Outlook OST theft → to Microsoft 365 token theft
- From C# tools → to PowerShell → to low-level C++ disk access → to cloud-side abuse
- From endpoint monitoring → to stealing from memory → to bypassing the perimeter entirely
The report concludes that the attackers’ evolving techniques demonstrate an escalating threat to organizations that rely on hybrid or cloud-based email platforms.
As Kaspersky summarizes: “This attack enables the adversary to leverage the user’s browser to obtain OAuth 2.0 authorization tokens… to access corporate email outside the perimeter of the compromised infrastructure.”
Related Posts:
- ToddyCat’s Stealthy Assault: Asian Nations in the Crosshairs
- ToddyCat: Unveiling the Stealthy APT Group Targeting Asia-Pacific Governments
- Researcher Identifies ToddyCat-Inspired APT Attack Leveraging ICMP Backdoor and Microsoft Exchange Flaws
- CVE-2024-11859: ToddyCat Group Hides Malware in ESET’s Scanner to Bypass Security
Donate