Find notable cyber news and cases, enriched with sources, timelines, and signals.

ToddyCat Outlook email and Microsoft 365 token theft activity

Malware Activity
First reported
Last updated
Happening score
H score 29
1 unique sources, 1 articles

Summary

Hide ▲

ToddyCat expanded its email-theft tradecraft by using TCSectorCopy to copy Outlook OST files and harvest correspondence from target companies, increasing the risk that mail can be accessed outside the compromised network. The group also used SharpTokenFinder to pull Microsoft 365 authentication tokens and fell back to ProcDump after security software blocked a memory-dump attempt against Outlook.exe. Security researchers linked related activity to TomBerBil, SMB file access, and an earlier April 2024 exploit chain involving CVE-2024-11859 and TCESB.

Related Happenings

Microsoft 365 Copilot Enterprise SearchLeak remote code execution flaw (CVE-2026-42824)

Vulnerability
H score34 First: 15.06.2026 16:00 Last: 15.06.2026 16:00 Sources 1

About this happening: **Microsoft 365 Copilot Enterprise Search** has a **critical** vulnerability chain, **SearchLeak**, that could let a user leak **emails, calendar details, MFA codes, and indexed f...

Tycoon2FA device-code phishing campaign targeting Microsoft 365

Campaign
H score46 First: 17.05.2026 17:43 Last: 17.05.2026 17:43 Sources 1

About this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...

Microsoft Exchange Server spoofing/XSS flaw under active exploitation (CVE-2026-42897)

Vulnerability
H score37 First: 15.05.2026 09:19 Last: 15.05.2026 09:19 Sources 1

About this happening: **CVE-2026-42897** is an **actively exploited** **spoofing** vulnerability in **on-premises Microsoft Exchange Server** that can lead to **arbitrary JavaScript execution** in a br...

Latest development: 09.06.2026 20:57

Microsoft identifies CVE-2026-42897 in Microsoft Exchange Server as an actively exploited spoofing vulnerability that can lead to JavaScript execution in a target’s browser when a specially crafted email is opened in Outlook Web Access under certain interaction conditions. Microsoft says mitigations are being pushed through the Exchange Emergency Mitigation Service while it continues work on the full update.

Code of conduct-themed Microsoft AiTM phishing campaign

Campaign
H score53 First: 05.05.2026 09:35 Last: 05.05.2026 09:35 Sources 1

About this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...

W3LL Microsoft 365 adversary-in-the-middle phishing campaign

Campaign
H score39 First: 13.04.2026 21:55 Last: 13.04.2026 21:55 Sources 1

About this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...

Timeline

  1. 25.11.2025 13:36 2 articles · 7mo ago

    ToddyCat Outlook email and Microsoft 365 token theft activity

    Initial Disclosure

    In **April 2024**, ToddyCat abused **CVE-2024-11859** in **ESET Command Line Scanner** to deliver **TCESB**. That earlier activity shows the group pairing exploitation with custom post-compromise tooling before shifting to mail and token theft.

    Show sources