Outlook in the Crosshairs: Another evolution involves accessing actual mail data. ToddyCat deployed a tool named TCSectorCopya C++ utility that opens the disk as a read-only device and copies Outlook’s offline storage files (OST) sector by sector, bypassing any file-lock mechanisms that Outlook may enforce.Once OST files are extracted, they are fed into XstReader, an open-source viewer capable of parsing OST/PST mail archives, allowing the attackers to access the full content of corporate correspondence. In environments that use cloud mail (like Microsoft 365), the new ToddyCat attempts to harvest OAuth 2.0 access tokens.Attackers can extract OAuth 2.0 tokens from a victim’s browser, allowing them to access corporate email even when they’re no longer inside the compromised network, a Kaspersky researcher said in the report.In at least one case, security software blocked their token-dumping attempt, researchers noted. Undeterred, the attackers switched to using a memory-dump tool (ProcDump from Sysinternals) to extract the tokens straight from the running Outlook process.The report provides a set of malicious filenames, paths, and directories as indicators of compromise (IOCs) to support detection efforts. ToddyCat’s shift toward mail theft fits a broader trend seen in earlier campaigns, where the group used custom backdoors, covert traffic tunnels, and long-term espionage tactics against government and military networks across Europe and Asia.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4096650/toddycat-apt-evolves-to-target-outlook-archives-and-microsoft-365-tokens.html
