The Hacker News reports that multiple new tactics have been employed by the advanced persistent threat operation ToddyCat to compromise corporate Outlook emails and Microsoft 365 access tokens.Intrusions by ToddyCat between May and June 2024 involved the deployment of a PowerShell-based version of the TomBerBil malware, which copied files with user encryption keys leveraged by the Windows Data Protection API and enabled Mozilla Firefox data extraction, according to Kaspersky researchers.ToddyCat has also tapped the TCSectorCompy tool to access corporate emails within the local Outlook storage, while the XstReader open-source viewer was leveraged to extract electronic correspondence contents. Additional findings showed ToddyCat's usage of the open-source SharpTokenFinder tool to enable Microsoft 365 app enumeration for plain text authentication tokens."The ToddyCat APT group is constantly developing its techniques and looking for those that would hide activity to gain access to corporate correspondence within the compromised infrastructure," said Kaspersky.
Email security, Threat Intelligence
ToddyCat revamps attack arsenal for email compromise
(Adobe Stock)
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds