ToddyCat's New Hacking Tools Steal Outlook Emails and Microsoft 365 Access Tokens
26.11.2025
2136
ToddyCat upgrades tools like TCSectorCopy and TomBerBil to steal corporate email and browser data, targeting Outlook and Microsoft 365 defenses.
ToddyCat's New Hacking Tools Steal Outlook Emails and Microsoft 365 Access Tokens
ToddyCat just leveled up their cybercrime game with upgraded tools that are straight-up stealing corporate emails and Microsoft 365 access tokens. We're talking TCSectorCopy and TomBerBil getting major upgrades to bypass defenses and snatch sensitive data.
These aren't your average script kiddie tools - we're talking sophisticated malware that's specifically targeting Outlook and Microsoft 365 environments. The threat actors are using PowerShell-based attacks to extract email data and authentication tokens, giving them persistent access to corporate networks.
The TCSectorCopy tool has been enhanced to perform low-level disk operations, allowing it to bypass traditional security controls and directly access email databases. Meanwhile, TomBerBil focuses on browser data extraction, specifically targeting saved credentials and session cookies from Microsoft Edge and Chrome browsers.
- • TCSectorCopy: Enhanced disk-level operations for email database access
- • TomBerBil: Browser data extraction focusing on credentials and sessions
- • PowerShell-based execution for stealth and persistence
- • Microsoft 365 access token theft for continued network access
- • Outlook email data exfiltration capabilities
What makes this particularly dangerous is how these tools work together - they create a complete attack chain from initial compromise to data exfiltration. The access token theft means attackers can maintain persistence even after passwords are changed, while the email theft gives them corporate intelligence and potential blackmail material.
Security teams need to be on high alert for PowerShell activity in their environments and implement strict application control policies. Multi-factor authentication and conditional access policies in Microsoft 365 are no longer optional - they're essential defenses against these sophisticated attacks.
#Microsoft 365 attacks#hack#malware#data theft#credentials
Got a topic? Write to ATLA WIRE on Telegram:t.me/atla_community
