ToddyCat’s new party trick: stealing your tokens (and your Outlook)
Security researchers say the APT “ToddyCat” has upgraded its toolkit to pinch Outlook mail and Microsoft 365 access tokens. Fresh modules — including TCSectorCopy and TomBerBil — are tuned to swipe browser cookies/credentials (Chrome/Edge) and lift mailbox data directly from disk, helping the group persist and laterally move inside European and Asian organisations. The focus is credential and token theft rather than noisy ransomware, with toolchains designed to live off the land and blend with normal system activity. Patch, harden, and monitor for suspicious token use.
ToddyCat — an APT active since 2020 — has polished its bag of tricks for old-fashioned credential theft with a modern twist. Two stand-out tools, TCSectorCopy and TomBerBil, quietly harvest browser cookies and access tokens, then help themselves to Outlook data straight off disk. Once they’ve got your tokens, they don’t need your password — they can simply act as you across Microsoft 365 and web apps. Charming.
This isn’t smash-and-grab ransomware. It’s patient, quiet, and focused on persistence. By leaning on built-in utilities and well-timed data theft, the operators can move around corporate networks without setting off every alarm in the SOC. Targets remain a familiar mix across Europe and Asia, with reconnaissance aimed at finding mailboxes and browsers most likely to hold the keys to the kingdom.
What good looks like:
• Rotate tokens on sign-out, and watch for token re-use from odd locations.
• Enforce MFA and conditional access (device + location + risk).
• Reduce cookie lifetime; prefer sign-in frequency controls for sensitive roles.
• Harden and monitor Outlook/Office data paths; keep EDR tuned for suspicious exfil.
If an attacker can “be you” without your password, your best defence is to make sure being you is hard: strong identity policies, short-lived tokens, and vigilant monitoring.