Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ToddyCat Outlook email and Microsoft 365 token theft activity

Malware Activity
First reported
Last updated
Happening score
H score 21
1 unique sources, 1 articles

Summary

Hide ▲

ToddyCat expanded its email-theft tradecraft by using TCSectorCopy to copy Outlook OST files and harvest correspondence from target companies, increasing the risk that mail can be accessed outside the compromised network. The group also used SharpTokenFinder to pull Microsoft 365 authentication tokens and fell back to ProcDump after security software blocked a memory-dump attempt against Outlook.exe. Security researchers linked related activity to TomBerBil, SMB file access, and an earlier April 2024 exploit chain involving CVE-2024-11859 and TCESB.

Related Happenings

Tycoon2FA device-code phishing campaign targeting Microsoft 365

Campaign
First: 17.05.2026 17:43 Last: 17.05.2026 17:43 Sources 1

About this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...

Open Happening

Microsoft Exchange Server spoofing/XSS flaw under active exploitation (CVE-2026-42897)

Vulnerability
First: 15.05.2026 09:19 Last: 15.05.2026 09:19 Sources 1

About this happening: **CVE-2026-42897** is an **actively exploited** **spoofing/XSS** flaw in **on-premises Microsoft Exchange Server** that can let attackers trigger **arbitrary JavaScript** in a bro...

Open Happening

Code of conduct-themed Microsoft AiTM phishing campaign

Campaign
First: 05.05.2026 09:35 Last: 05.05.2026 09:35 Sources 1

About this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...

Open Happening

W3LL Microsoft 365 adversary-in-the-middle phishing campaign

Campaign
First: 13.04.2026 21:55 Last: 13.04.2026 21:55 Sources 1

About this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...

Open Happening

Microsoft 365 mailbox-rule abuse rises across breached accounts in Q4 2025

Target Trend
First: 13.04.2026 18:00 Last: 13.04.2026 18:00 Sources 1

About this happening: In **Q4 2025**, about **10%** of breached **Microsoft 365** accounts had malicious mailbox rules created within seconds of compromise, increasing **persistence**, **data theft**,...

Open Happening

Timeline

  1. 25.11.2025 13:36 2 articles · 6mo ago

    ToddyCat Outlook email and Microsoft 365 token theft activity

    Initial Disclosure

    In **April 2024**, ToddyCat abused **CVE-2024-11859** in **ESET Command Line Scanner** to deliver **TCESB**. That earlier activity shows the group pairing exploitation with custom post-compromise tooling before shifting to mail and token theft.

    Show sources
    Open in new tab