Cyberattacks take many forms. But when an Advanced Persistent Threat (APT) like "ToddyCat" specifically targets business-critical email communication, we leave the realm of technical security issues and enter the territory of clear economic espionage. Organizations today face the reality that their email traffic is not just a means of communication, but a valuable data space—and a highly attractive target for attackers.
Cybersecurity analysts at the IT security company Kaspersky have detailed how ToddyCat gains access to Outlook mailboxes and Microsoft 365 login credentials. The attackers combine tried-and-tested methods with new, sophisticated tools to systematically extract sensitive corporate data. For business leaders, this means more than just an IT crisis is at stake. It threatens the protection of trade secrets, customer loyalty, the value of intellectual property, and, not least, regulatory risks.
This article analyzes ToddyCat's attack strategy, strategically assesses the threat landscape, and demonstrates how companies can—and should—respond effectively. Furthermore, we explain how ProSec, as a specialized cyber defense partner, provides structured support to identify attack surfaces early and systematically protect critical business areas.
ToddyCat has been active in Europe and Asia since at least 2020, with a clear focus on government agencies, technology companies, and organizations that handle sensitive data. Recent analyses show that the attacker is specifically targeting Microsoft Outlook files and stored access tokens for Microsoft 365. The attacker's tools—such as "TCSectorCopy," "TomBerBil," and "SharpTokenFinder"—are not a random mix of code, but precisely programmed tools designed to systematically access digital correspondence, login credentials, and browser sessions.
This is not a general wave of attacks, not mass phishing, but a targeted operation with clearly defined objectives and a high degree of impact. This places the threat in the context of industrial espionage, because systems are not destroyed—but rather observed, copied, and infiltrated. A silent, yet extremely effective method of economic manipulation.
Outlook files (so-called OST files), stored locally on company computers, contain complete email archives including attachments, calendar entries, meeting notes, and sometimes even access data in the form of forwards or password resets. Anyone who can read these files not only has an overview of the content of projects, customer communications, or supplier relationships, but also understands internal decision-making processes.
ToddyCat uses "TCSectorCopy," a tool that copies Outlook files at the sector level—even while the application is running. This method bypasses traditional file and access restrictions and runs in the background, virtually invisible to many standard endpoint security solutions.
In combination with "XstReader"—an open-source tool for analyzing Outlook files—attackers can systematically evaluate confidential emails within hours. This particularly affects executive mailboxes and thus often also data from M&A transactions, legal disputes, or tender strategies.
Web browsers are also targets: A special PowerShell Trojan called "TomBerBil" can read cookies, passwords, and browsing history—even across the network via SMB shares. At the same time, ToddyCat's tools access so-called OAuth access tokens. These are used, among other things, to authenticate Microsoft 365 and other API-based applications.
These tokens are extracted from running sessions (e.g., Outlook.exe) or from RAM – even when traditional authentication methods like two-factor authentication (2FA) are in use. Tools like "SharpTokenFinder" or, in emergencies, "ProcDump" are used to extract valid tokens from RAM and misuse them in a different geographic area. The affected person is automatically unaware of this.
This poses a risk for companies that extends far beyond technical spheres: data can be exfiltrated, analyzed and passed on in real time – possibly even to your competitors.
What's particularly alarming is that ToddyCat isn't limited to individual workstations. The malware sometimes runs on domain controllers – the central instances of corporate networks responsible for authentication, group policies, and user management. This means the attackers operate at the highest privilege level of an IT infrastructure – with maximum access and minimal risk of detection.
The goal is clearly not sabotage, but extraction: data acquisition, insight into communications, access control. This is precisely how modern digital industrial espionage works. And that is precisely why this is not an IT problem, but a strategic risk at the board level.
From the perspective of company management – whether CEO, CIO, CISO or CSO – several dimensions of action emerge:
Most security measures in enterprise environments rely on classic security concepts: firewalls, endpoint protection, and regular updates. However, ToddyCat's approach demonstrates that these defense mechanisms are either too superficial or react too late.
Therefore, companies need a security strategy that goes much deeper:
ProSec specializes in the identification, analysis, and sustainable mitigation of highly specialized attack vectors like those of ToddyCat. Our expertise in red teaming, threat hunting, penetration testing, and incident-based hardening enables us to uncover complex attack vectors before they cause damage.
Specific support from ProSec:
Benefit from a collaborative partnership with your IT and security team on equal footing. Together, we strengthen not only your defenses but also your company-wide digital resilience.
