Cybersecurity

Toddycat’s New Hacking Tools Steal Outlook Emails And Microsoft 365...

2025-11-25 0 views admin
Toddycat’s New Hacking Tools Steal Outlook Emails And Microsoft 365...

The threat actor known as ToddyCat has been observed adopting new methods to obtain access to corporate email data belonging to target companies, including using a custom tool dubbed TCSectorCopy.

"This attack allows them to obtain tokens for the OAuth 2.0 authorization protocol using the user's browser, which can be used outside the perimeter of the compromised infrastructure to access corporate mail," Kaspersky said in a technical breakdown.

Earlier this April, the hacking group was attributed to the exploitation of a security flaw in ESET Command Line Scanner (CVE-2024-11859, CVSS score: 6.8) to deliver a previously undocumented malware codenamed TCESB.

Kaspersky said it detected a PowerShell variant of TomBerBil (as opposed to C++ and C# versions flagged before) in attacks that took place between May and June 2024, which comes with capabilities to extract data from Mozilla Firefox. A notable feature of this version is that it runs on domain controllers from a privileged user and can access browser files via shared network resources using the SMB protocol.

"The previous version of TomBerBil ran on the host and copied the user token. As a result, DPAPI was used to decrypt the master key in the user's current session, and subsequently the files themselves," researchers said. "In the newer server version, TomBerBil copies files containing user encryption keys that are used by DPAPI. Using these keys, as well as the user's SID and password, attackers can decrypt all copied files locally."

The threat actors have also been found to access corporate emails stored in local Microsoft Outlook storage in the form of OST (short for Offline Storage Table) files using TCSectorCopy ("xCopy.exe"), bypassing restrictions that limit access to such files when the application is running.

Written in C++, TCSectorCopy accepts as input a file to be copied (in this case, OST files) and then proceeds to open the disk as a read-only device and sequentially copy the file contents sector by sector. Once the OST files are written to a path of the attacker's choosing, the contents of the electronic correspondence are extracted using XstReader, an open-source viewer for Outlook OST and PST files.

Another tactic adopted by ToddyCat involves efforts to obtain access tokens directly from memory in cases where victim organizations used the Microsoft 365 cloud service. The JSON web tokens (JWTs) are obtained through an open-source C# tool named SharpTokenFinder, which enumerates Mi

Source: The Hacker News

🏷️ Tags

securityhackcvemalwareattack

More from Cybersecurity

New Microsoft Is Retiring 'send To Kindle' In Word 2026

New Microsoft Is Retiring 'send To Kindle' In Word 2026

2026-01-11 0
Complete Guide to Breachforums Hacking Forum Database Leaked, Exposing 324,000 Accounts

Complete Guide to Breachforums Hacking Forum Database Leaked, Exposing 324,000 Accounts

2026-01-10 0
Update: Spain Arrests 34 Suspects Linked To Black Axe Cyber Crime 2026

Update: Spain Arrests 34 Suspects Linked To Black Axe Cyber Crime 2026

2026-01-10 0
Latest: Ireland Recalls Almost 13,000 Passports Over Missing 'irl' Code

Latest: Ireland Recalls Almost 13,000 Passports Over Missing 'irl' Code

2026-01-10 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views