🟠 High | Source: The Hacker News
A sophisticated threat actor known as ToddyCat has deployed new malware called Umbrij that exploits OAuth tokens and the Google API to silently access victims’ Gmail inboxes, targeting corporate email communications. The malware is designed for covert espionage, allowing attackers to read sensitive business correspondence without triggering standard login alerts. This matters because it bypasses traditional credential-based detection, making it difficult to spot with conventional monitoring.
Security Architect’s Take: Audit all OAuth application authorisations across your Google Workspace tenants immediately, revoke any unrecognised or overly permissive Gmail API scopes, and enable alerts for unusual API-level mail access patterns via Google Workspace Audit Logs or a CASB solution.
Original advisory: ToddyCat-Linked Umbrij Malware Abuses OAuth to Access Gmail via Google API