ToddyCat APT Group Targets Microsoft 365 Email Security – Against Invaders

Inteligência Artificial Generativa: Crescimento Explosivo e Desafios de Segurança - Against Invaders - Notícias de CyberSecurity para humanos.

ToddyCat APT Group Targets Microsoft 365 Email Security - Against Invaders

Redazione RHC:27 November 2025 06:55

Email security continues to be one of the most critical points in modern cyber attacks. While compromising a Windows domain is already a success for a malicious actor, gaining access to corporate email accounts can open the door to espionage, fraud, extortion, and difficult-to-detect lateral movement .

ToddyCat: The ability to target any organization

It is in this context that the operational evolution of ToddyCat takes place, an APT group already known for its advanced techniques and its ability to target government and military organizations.

In recent months, the group has demonstrated a significant leap in quality, introducing new ways to access email, particularly Microsoft 365 environments . Security analysts who have been monitoring the evolution of the threat explain how ToddyCat uses subtle and targeted methodologies that are much more complex than simple credential theft.

The goal is not only to read the victims’ messages, but to be able to maintain persistent access over the long term, without arousing any suspicion.

The most interesting tactic involves abusing Exchange Web Services MessageItem objects, which allows the group to retrieve emails, attachments, and contacts without having to authenticate using traditional methods . This feature, likely developed after extensive analysis of Microsoft environments, allows attackers to bypass various protection mechanisms and operate extremely discreetly.

From DNS manipulation to advanced backdoors

Another worrying factor is the group’s ability to manipulate the DNS records of compromised organizations. By modifying entries like Autodiscover , ToddyCat can intercept some authentication traffic or direct victims to servers controlled by the group . This is not an improvised attack: it requires advanced skills, deep access to internal systems, and, above all, a thorough understanding of the architecture of each affected environment.

The campaign is also notable for the efficiency of the backdoors it uses . ToddyCat deploys specialized modules capable of collecting sensitive data, stealing session cookies, monitoring incoming messages, and even adapting to the target network’s configuration. These components are developed with almost surgical precision, designed to move silently and leave few traces.

Flexibility and strategy: the key to ToddyCat

Experts have observed that the group is primarily targeting government agencies and critical infrastructure in Europe and Asia . Their interest does not appear to be financial, but rather strategic: the systematic collection of internal information, operational decisions, confidential documents, and high-value communications. Emails, often underestimated as a vector of intelligence, thus become a prime tool for espionage.

A striking aspect is ToddyCat’s ability to change tactics based on the environment it encounters. If the organization uses on-premises servers, the group attacks through local Exchange services; if it relies entirely on Microsoft’s cloud, the criminals exploit APIs, tokens, and suboptimal configurations to insert themselves into communication flows. Flexibility is one of the campaign’s most dangerous characteristics.

Investigations also show that attackers don’t just steal information, but sometimes manipulate mailbox rules to divert messages to external accounts or hidden folders. This is an old technique, but it’s still very effective, especially when supported by persistent backdoors and privileged access to the compromised domain.

Protection is not impossible

Despite the extremely high level of techniques employed, defense is not impossible. Companies that implement proper network segmentation, constant monitoring of DNS logs, multi-factor authentication, and rigorous controls on privileged access are much more likely to detect anomalous activity before the compromise becomes irreversible. Adopting auditing systems specifically for Microsoft 365 can also make a difference.

ToddyCat, however, demonstrates how the threat landscape is constantly evolving and how the most capable actors are investing time and resources in exploring every possible weakness in modern systems. Email, despite being a seemingly innocuous and everyday tool, remains one of the most exposed fronts. And as long as similar APT groups continue to develop increasingly sophisticated techniques, organizations cannot afford to let their guard down.

  • advanced persistent threat
  • APT group
  • cloud security
  • cyber spionage
  • cybersecurity threats
  • email compromise
  • email security
  • Microsoft 365 security
  • threat intelligence
  • ToddyCat

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.