ToddyCat 工具窃取 Outlook 邮件和 Microsoft 365 令牌。
Toddycat 威胁行为者被确认使用新技术来获取目标公司的企业邮箱信息,例如一种名为 TCSectorCopy 的自制工具。根据卡巴斯基的说法,这种攻击旨在获取通过用户浏览器生成的 OAuth 2.0 授权协议的令牌,这些令牌可以在被攻陷的基础设施外围使用,以访问企业邮箱。
Toddycat 自 2020 年以来被认为一直在活动,记录显示其攻击了众多位于欧洲和亚洲的公司,使用了多种工具,如 Samurai 和 TomBerBil,以保持连接并窃取 Google Chrome 和 Microsoft Edge 等网页浏览器的 Cookies 和凭证。
查看原文
Toddycat threat actor has been identified to use newer techniques in gaining access to corporate email information of target companies such as a home-made tool called TCSectorCopy.<p>This attack, according to Kaspersky, is carried out to gain tokens of the OAuth 2.0 authorization protocol which was made with the browser of the user, and can be used outside the perimeter of the compromised infrastructure to access corporate mail.<p>Toddycat, which is estimated to have been operational since 2020, has a record of attacking numerous companies in Europe and Asia with a multitude of tools, Samurai and TomBerBil, to stay connected and steal cookies and credentials of web browsers such as Google Chrome and Microsoft Edge.