ToddyCat’s New Toolkit Steals Outlook Emails and Microsoft 365 Tokens — What Security Teams Need to Know

Why ToddyCat’s new tricks are raising alarms

Security vendor Kaspersky recently published a technical analysis showing that ToddyCat has refined techniques for stealing corporate email and Microsoft 365 credentials. The group now uses TCSectorCopy to extract offline Outlook mail stores (OST files) and leverages browser cookie theft, DPAPI key extraction, and memory-dumping tools to obtain OAuth 2.0 tokens and access corporate mail outside the network perimeter.

What makes this threat so sophisticated

• New tools: TCSectorCopy (xCopy.exe) for sector-by-sector OST extraction; TomBerBil (PowerShell & variants) for browser cookie and credential theft.
• Token theft: Attackers obtain OAuth 2.0 / JWT tokens via memory dumps and SharpTokenFinder, allowing cloud mailbox access without credentials.
• DPAPI abuse: ToddyCat copies DPAPI-protected key files from domain controllers and decrypts browser secrets using recovered keys and SIDs.
• Scope: Targeting organizations across Europe and Asia; active since at least 2020 with ongoing tool evolution.

Step inside the attack chain

Gaining a foothold and moving through networks

ToddyCat often starts with phishing, exploits, or supply-chain vectors. Once inside, they escalate privileges and move laterally using scheduled tasks and SMB access to remote hosts.

Collecting browser data and DPAPI keys

Operators deploy TomBerBil to copy browser files—history, cookies, saved credentials—via SMB. These files are encrypted with DPAPI, but ToddyCat can extract master keys, SIDs, and sometimes passwords to decrypt the artifacts locally.

Harvesting Outlook offline stores

Using TCSectorCopy, attackers copy OST files sector by sector without stopping Outlook or logging out users, giving them access to all locally stored emails.

Grabbing live cloud tokens

To reach Microsoft 365 mailboxes, ToddyCat pulls OAuth/JWT tokens from process memory using SharpTokenFinder or memory-dump tools like ProcDump, bypassing traditional authentication.

Why this approach is so dangerous

1. Perimeter bypass: OAuth tokens let attackers access cloud mailboxes from anywhere without credentials.
2. Silent exfiltration: OST files and tokens let attackers read sensitive emails without leaving obvious traces.
3. Persistent access: DPAPI key theft and artifact storage allow attackers to restore access even after cleanup.

What defenders often miss

Endpoint compromises can instantly threaten the cloud

ToddyCat demonstrates that endpoint breaches translate directly into cloud account takeovers. Traditional network defenses—firewalls, IP allowlists—are less effective when OAuth tokens are stolen. Endpoint hygiene is now the first line of cloud defense.

DPAPI keys are high-value targets

Attackers can decrypt stored credentials if they capture master keys and SIDs. Organizations should enforce strict access controls on domain controllers, restrict SMB access, and consider hardware-backed key protections like TPM or Azure AD Credential Guard.

Immediate steps security teams can take

• Harden endpoints: use process whitelisting, monitor ProcDump usage, and block unsigned binaries like xCopy.exe.
• Limit SMB exposure: enforce least privilege and disable unnecessary SMB access.
• Protect DPAPI keys: secure domain controllers, restrict service accounts, and avoid storing keys on disk when possible.
• Detect token theft: monitor for anomalous OAuth activity and require reauthentication for sensitive actions.
• EDR hunting: look for TomBerBil behavior, TCSectorCopy disk reads, and abnormal ProcDump usage.
• Enable MFA and conditional access: restrict token use to trusted devices or locations.
• Secure offline stores: treat OST/PST files as sensitive and monitor their movement.

First moves for incident responders

1. Isolate affected endpoints and collect volatile memory and logs.
2. Scan for Indicators of Compromise like unknown scheduled tasks, xCopy.exe, SharpTokenFinder, ProcDump activity, or SMB reads of sensitive files.
3. Rotate tokens and credentials to prevent further access.
4. Reset accounts and audit mailbox delegation or forwarding rules for suspicious changes.

Building longer-term defenses

• Adopt an assume-breach posture with endpoint hardening, rapid detection, and automated token revocation.
• Invest in EDR/XDR telemetry to catch lateral movement and key theft early.
• Integrate cloud IAM hygiene into exercises: practice token revocation, sign-in anomaly detection, and mailbox forensics.