Security researchers at Kaspersky have attributed a novel malware tool, dubbed Umbrij, to the advanced persistent threat group known as ToddyCat. The malware is engineered to gain covert access to victims’ email communications by exploiting legitimate Google API functionality rather than relying on more conventional credential theft techniques.
OAuth Abuse as an Intrusion Vector
According to Kaspersky’s report, the campaign specifically targets corporate email hosted on Gmail. Rather than compromising login credentials directly, Umbrij leverages OAuth-based API access, allowing attackers to read email correspondence while remaining within the bounds of what appears to be authorized application activity. This approach makes detection significantly harder, as the access pattern can resemble legitimate third-party application behavior.
Focus on Corporate Communications
Kaspersky noted that the attackers concentrated on corporate email communications, suggesting an intelligence-gathering or espionage motivation consistent with ToddyCat’s previously observed operational profile. The group has historically targeted organizations in the Asia-Pacific region and government-adjacent sectors, and this campaign fits that pattern of quiet, persistent data collection.
Why API-Based Attacks Are Difficult to Detect
Abusing cloud provider APIs through OAuth tokens is an increasingly common technique among sophisticated threat actors. Because access is granted through the provider’s own infrastructure, traditional indicators such as suspicious login attempts or password spraying do not apply. Security teams are advised to audit OAuth application permissions granted within their Google Workspace environments, revoke tokens associated with unrecognized applications, and enable alerting on unusual API access patterns.
Kaspersky published a detailed technical report on Umbrij this week. Organizations relying on Gmail for sensitive corporate communications should treat OAuth grant hygiene as a priority defensive measure in light of this disclosure.
