ToddyCat APT: How a Persistent Attacker Breached Outlook and Microsoft 365 Email in 2024
Executive Summary
Between mid-2024 and early 2025, the ToddyCat advanced persistent threat (APT) group executed a sophisticated campaign targeting organizations' internal infrastructures to covertly access business email. Initially leveraging a new PowerShell variant of their TomBerBil tool to extract credentials, cookies, and encryption keys from browsers via SMB on privileged hosts, the group also introduced additional tools—TCSectorCopy and XstReader—to capture locked Outlook OST files and exfiltrate their contents. When detection increased, ToddyCat shifted to harvesting OAuth 2.0 tokens for Microsoft 365 mail through memory dumping, enhancing their ability to bypass on-host monitoring and access cloud emails externally. This campaign resulted in extensive compromise of sensitive correspondence, credentials, and lateral movement across impacted domains.
This incident underscores the rapidly evolving tactics of nation-state groups to overcome modern defenses, highlighting trends in cross-cloud compromise, credential harvesting, and exploitation of endpoint-to-cloud trust boundaries. ToddyCat's use of both system-level and identity-driven attacks mirrors the increasing prevalence of multifaceted cyber threat techniques.
Why This Matters Now
A surge in identity-centric threats and privilege escalation reinforces the urgent need for organizations to detect lateral movement, credential harvesting, and token theft across hybrid environments. ToddyCat's techniques reflect the broader transition of attackers exploiting both endpoint and cloud weaknesses, directly impacting business resilience and regulatory posture.
Attack Path Analysis
The ToddyCat APT began by compromising privileged accounts within the target infrastructure, then leveraged these privileges to deploy malicious tools and gain access to critical data. Privilege escalation enabled attackers to execute tools as domain administrators, granting them access to domain controllers and shared resources. From there, they moved laterally through SMB connections to harvest sensitive browser credential stores and Outlook OST files from multiple internal hosts. The attackers established command and control over internal systems, exfiltrating archives containing credentials, authentication tokens, and emails via outbound SMB or other egress methods. Data such as extracted credentials, memory dumps, and email archives were sent outside the environment, undermining the confidentiality of corporate correspondence. The attack resulted in significant information leakage and provided persistent access for further exploitation or business disruption.
Kill Chain Progression
Initial Compromise
Description
The attackers gained access to privileged user accounts, likely through phishing, malware, or credential harvesting, providing an initial foothold inside the network.
Related CVEs
CVE-2024-11859
CVSS 7.8A DLL search order hijacking vulnerability in ESET's Command Line Scanner (ecls.exe) allows attackers to execute arbitrary code by loading a malicious DLL.
Affected Products:
ESET Command Line Scanner (ecls.exe) – Prior to January 21, 2025 patch
Exploit Status:
exploited in the wildCVE-2021-36276
CVSS 7.8A vulnerability in Dell's DBUtilDrv2.sys driver allows attackers to escalate privileges and execute arbitrary code in kernel mode.
Affected Products:
Dell DBUtilDrv2.sys – All versions prior to remediation
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Credentials from Web Browsers
Data from Local System
Email Collection: Local Email Collection
OS Credential Dumping: LSASS Memory
Unsecured Credentials: Credentials In Files
System Service Discovery
Remote Services: SMB/Windows Admin Shares
Obfuscated Files or Information
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Implement automated audit trails for all system components
Control ID: 10.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Art. 5(2)
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Strong Authentication and Least Privilege
Control ID: Identity Pillar
NIS2 Directive – Technical and organisational measures to manage risks
Control ID: Article 21(2)(a)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
ToddyCat APT's email stealing techniques targeting Outlook threaten sensitive financial communications, requiring enhanced east-west traffic security and zero trust segmentation controls.
Health Care / Life Sciences
Advanced persistent threat compromising email systems poses severe HIPAA compliance risks, necessitating encrypted traffic protection and multicloud visibility for patient data security.
Government Administration
APT group's OAuth token theft and lateral movement capabilities create critical national security risks, demanding threat detection and anomaly response systems implementation.
Legal Services
Email correspondence theft attacks compromise attorney-client privilege and confidential legal communications, requiring egress security policy enforcement and secure hybrid connectivity measures.
Sources
- ToddyCat: your hidden email assistant. Part 1https://securelist.com/toddycat-apt-steals-email-data-from-outlook/118044/Verified
- ToddyCat APT Exploits ESET Vulnerability to Deploy Stealth Malwarehttps://undercodenews.com/toddycat-apt-exploits-eset-vulnerability-to-deploy-stealth-malware/Verified
- ToddyCat APT evolves to target Outlook archives and Microsoft 365 tokenshttps://www.csoonline.com/article/4096650/toddycat-apt-evolves-to-target-outlook-archives-and-microsoft-365-tokens.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Deploying CNSF-aligned zero trust controls—such as east-west microsegmentation, centralized visibility, egress policy enforcement, and inline detection—would have contained lateral movement, prevented unauthorized file access, and detected abnormal data collection and exfiltration attempts at multiple kill chain stages.
Control: Threat Detection & Anomaly Response
Mitigation: Rapid detection of anomalous authentication and suspicious access attempts.
Control: Zero Trust Segmentation
Mitigation: Limits horizontal privilege expansion and unauthorized access to sensitive systems.
Control: East-West Traffic Security
Mitigation: Prevents unauthorized SMB and peer-to-peer traffic between workloads.
Control: Multicloud Visibility & Control
Mitigation: Comprehensive monitoring and policy enforcement on suspicious application and network behaviors.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents and detects unauthorized exfiltration of sensitive data.
Continuously reduces blast radius and enables rapid response to sensitive data exposure.
Impact at a Glance
Affected Business Functions
- Email Communications
- Data Security
- IT Operations
Estimated downtime: 7 days
Estimated loss: $500,000
Unauthorized access to sensitive corporate email communications, including confidential information and potential intellectual property, leading to reputational damage and regulatory scrutiny.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce zero trust segmentation and east-west traffic controls to block lateral SMB and unauthorized file access within cloud and hybrid workloads.
- • Enable actionable egress security policies to detect and prevent unauthorized data exfiltration over SMB, RDP, and other outbound channels.
- • Implement centralized, real-time visibility and anomaly detection to rapidly identify suspicious authentication, privilege escalation, and use of credential harvesting tools.
- • Harden privileged identities and restrict administrative access using least privilege, MFA, and continuous posture monitoring across multicloud infrastructure.
- • Automate detection and response through Cloud Network Security Fabric, integrating inline enforcement and orchestration to reduce dwell time and remediate threats.
