ToddyCat Outlook email and Microsoft 365 token theft activity
Malware Activity
Summary
Hide ▲
Show ▼
ToddyCat expanded its email-theft tradecraft by using TCSectorCopy to copy Outlook OST files and harvest correspondence from target companies, increasing the risk that mail can be accessed outside the compromised network. The group also used SharpTokenFinder to pull Microsoft 365 authentication tokens and fell back to ProcDump after security software blocked a memory-dump attempt against Outlook.exe. Security researchers linked related activity to TomBerBil, SMB file access, and an earlier April 2024 exploit chain involving CVE-2024-11859 and TCESB.
Related Happenings
Microsoft 365 Copilot Enterprise SearchLeak remote code execution flaw (CVE-2026-42824)
Vulnerability
H score34
First: 15.06.2026 16:00
Last: 15.06.2026 16:00
Sources 1
About this happening:
**Microsoft 365 Copilot Enterprise Search** has a **critical** vulnerability chain, **SearchLeak**, that could let a user leak **emails, calendar details, MFA codes, and indexed f...
Microsoft 365 Copilot Enterprise SearchLeak remote code execution flaw (CVE-2026-42824)
VulnerabilityAbout this happening: **Microsoft 365 Copilot Enterprise Search** has a **critical** vulnerability chain, **SearchLeak**, that could let a user leak **emails, calendar details, MFA codes, and indexed f...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
Campaign
H score46
First: 17.05.2026 17:43
Last: 17.05.2026 17:43
Sources 1
About this happening:
The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
CampaignAbout this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
Microsoft Exchange Server spoofing/XSS flaw under active exploitation (CVE-2026-42897)
Vulnerability
H score37
First: 15.05.2026 09:19
Last: 15.05.2026 09:19
Sources 1
About this happening:
**CVE-2026-42897** is an **actively exploited** **spoofing** vulnerability in **on-premises Microsoft Exchange Server** that can lead to **arbitrary JavaScript execution** in a br...
Microsoft Exchange Server spoofing/XSS flaw under active exploitation (CVE-2026-42897)
VulnerabilityAbout this happening: **CVE-2026-42897** is an **actively exploited** **spoofing** vulnerability in **on-premises Microsoft Exchange Server** that can lead to **arbitrary JavaScript execution** in a br...
Latest development: 09.06.2026 20:57
Microsoft identifies CVE-2026-42897 in Microsoft Exchange Server as an actively exploited spoofing vulnerability that can lead to JavaScript execution in a target’s browser when a specially crafted email is opened in Outlook Web Access under certain interaction conditions. Microsoft says mitigations are being pushed through the Exchange Emergency Mitigation Service while it continues work on the full update.
Code of conduct-themed Microsoft AiTM phishing campaign
Campaign
H score53
First: 05.05.2026 09:35
Last: 05.05.2026 09:35
Sources 1
About this happening:
A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...
Code of conduct-themed Microsoft AiTM phishing campaign
CampaignAbout this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
Campaign
H score39
First: 13.04.2026 21:55
Last: 13.04.2026 21:55
Sources 1
About this happening:
The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
W3LL Microsoft 365 adversary-in-the-middle phishing campaign
CampaignAbout this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...
Timeline
-
25.11.2025 13:36 2 articles · 7mo ago
ToddyCat Outlook email and Microsoft 365 token theft activity
Initial DisclosureIn **April 2024**, ToddyCat abused **CVE-2024-11859** in **ESET Command Line Scanner** to deliver **TCESB**. That earlier activity shows the group pairing exploitation with custom post-compromise tooling before shifting to mail and token theft.
Show sources
- ToddyCat’s New Hacking Tools Steal Outlook Emails and Microsoft 365 Access Tokens — thehackernews.com — 25.11.2025 13:36
- ToddyCat’s New Hacking Tools Steal Outlook Emails and Microsoft 365 Access Tokens — thehackernews.com — 25.11.2025 13:36