Redazione RHC : 27 November 2025 06:55
Email security continues to be one of the most critical points in modern cyber attacks. While compromising a Windows domain is already a success for a malicious actor, gaining access to corporate email accounts can open the door to espionage, fraud, extortion, and difficult-to-detect lateral movement .
It is in this context that the operational evolution of ToddyCat takes place, an APT group already known for its advanced techniques and its ability to target government and military organizations.
In recent months, the group has demonstrated a significant leap in quality, introducing new ways to access email, particularly Microsoft 365 environments . Security analysts who have been monitoring the evolution of the threat explain how ToddyCat uses subtle and targeted methodologies that are much more complex than simple credential theft.
The goal is not only to read the victims’ messages, but to be able to maintain persistent access over the long term, without arousing any suspicion.
The most interesting tactic involves abusing Exchange Web Services MessageItem objects, which allows the group to retrieve emails, attachments, and contacts without having to authenticate using traditional methods . This feature, likely developed after extensive analysis of Microsoft environments, allows attackers to bypass various protection mechanisms and operate extremely discreetly.
Another worrying factor is the group’s ability to manipulate the DNS records of compromised organizations. By modifying entries like Autodiscover , ToddyCat can intercept some authentication traffic or direct victims to servers controlled by the group . This is not an improvised attack: it requires advanced skills, deep access to internal systems, and, above all, a thorough understanding of the architecture of each affected environment.
The campaign is also notable for the efficiency of the backdoors it uses . ToddyCat deploys specialized modules capable of collecting sensitive data, stealing session cookies, monitoring incoming messages, and even adapting to the target network’s configuration. These components are developed with almost surgical precision, designed to move silently and leave few traces.
Experts have observed that the group is primarily targeting government agencies and critical infrastructure in Europe and Asia . Their interest does not appear to be financial, but rather strategic: the systematic collection of internal information, operational decisions, confidential documents, and high-value communications. Emails, often underestimated as a vector of intelligence, thus become a prime tool for espionage.
A striking aspect is ToddyCat’s ability to change tactics based on the environment it encounters. If the organization uses on-premises servers, the group attacks through local Exchange services; if it relies entirely on Microsoft’s cloud, the criminals exploit APIs, tokens, and suboptimal configurations to insert themselves into communication flows. Flexibility is one of the campaign’s most dangerous characteristics.
Investigations also show that attackers don’t just steal information, but sometimes manipulate mailbox rules to divert messages to external accounts or hidden folders. This is an old technique, but it’s still very effective, especially when supported by persistent backdoors and privileged access to the compromised domain.
Despite the extremely high level of techniques employed, defense is not impossible. Companies that implement proper network segmentation, constant monitoring of DNS logs, multi-factor authentication, and rigorous controls on privileged access are much more likely to detect anomalous activity before the compromise becomes irreversible. Adopting auditing systems specifically for Microsoft 365 can also make a difference.
ToddyCat, however, demonstrates how the threat landscape is constantly evolving and how the most capable actors are investing time and resources in exploring every possible weakness in modern systems. Email, despite being a seemingly innocuous and everyday tool, remains one of the most exposed fronts. And as long as similar APT groups continue to develop increasingly sophisticated techniques, organizations cannot afford to let their guard down.
Redazione
