THE report details a new tool, Umbrij, developed by the ToddyCat APT group to exploit corporate email accounts through the Google API. This tool automates the acquisition of OAuth tokens by utilizing a technique called Shadow Token via Remote Debug (STRD), which targets Gmail accounts. It works by launching a Chromium-based browser in headless mode using DLL sideloading. The attackers mimic legitimate processes to launch Umbrij, leading to unauthorized access to Google services.
Key methods of detection include monitoring DLL loading events and unusual browser launches. For risk mitigation, disabling developer tools in browsers and encouraging users to log out of Google accounts are recommended. The report emphasizes the need for continuous vigilance against evolving APT techniques.