ToddyCat APT Enhances Tools to Steal Outlook Emails & Microsoft 365 Tokens

ToddyCat’s Evolving Tactics for Corporate Email Theft

The threat actor ToddyCat has been actively refining its toolkit to compromise corporate email systems, specifically targeting Outlook and Microsoft 365 environments. Since 2020, ToddyCat has consistently updated tools like Samurai, TomBerBil, and now TCSectorCopy to bypass security measures and exfiltrate sensitive data.

Why This Matters

Ideal security models assume perimeter defenses are sufficient, but ToddyCat demonstrates successful data breaches after initial perimeter compromise. The cost of a single corporate email breach can exceed $4.35 million, including incident response, legal fees, and reputational damage, highlighting the critical need to understand post-compromise activity.

Key Insights

• TCSectorCopy bypasses Outlook restrictions, 2025: This tool allows access to locally stored OST files even when Outlook isn’t running.
• SharpTokenFinder & ProcDump overcome security software, 2025: ToddyCat adapts to blocked token dumping by utilizing Sysinternals tools for memory dumps.
• TomBerBil leverages SMB for credential theft, 2024: The PowerShell variant accesses browser data on domain controllers via network shares.

Working Example

# Example ProcDump command used by ToddyCat to dump Outlook process memory
procdump -ma outlook.exe outlook_memory_dump.dmp

Practical Applications

• Use Case: Financial institutions experiencing targeted attacks from ToddyCat should prioritize endpoint detection and response (EDR) focused on memory analysis.
• Pitfall: Relying solely on perimeter security without robust internal monitoring allows attackers like ToddyCat to move laterally and exfiltrate data undetected.

References:

• https://thehackernews.com/2025/11/toddycats-new-hacking-tools-steal.html