ToddyCat-Linked Umbrij Malware Abuses OAuth to Access Gmail via Google API
Summary
The threat actor ToddyCat has been linked to new malware named Umbrij, which is designed to secretly access victims' Gmail correspondence. The malware achieves this by abusing OAuth to leverage the Google API, specifically targeting corporate email communications hosted on Gmail.
IFF Assessment
The emergence of new malware and attack techniques from a sophisticated threat actor poses a significant challenge and threat to defenders.
Defender Context
Defenders should be aware of this new malware and the tactics employed by ToddyCat, particularly the abuse of OAuth for Gmail access. It highlights the critical need to secure API access, enforce strong authentication, and monitor for unusual activity in corporate email environments. Organizations should review their OAuth consent grants and implement continuous monitoring for suspicious API calls related to email services.