OAuth‑Abuse Malware “Umbrij” Enables ToddyCat to Access Corporate Gmail via Google API
What Happened — The threat group ToddyCat is deploying a new malware family called Umbrij that abuses OAuth tokens to obtain unauthorized access to Gmail accounts through Google’s API. The campaign targets corporate email communications, allowing attackers to read, forward, and exfiltrate messages without triggering typical credential‑based alerts.
Why It Matters for Compliance & Audit Readiness
- OAuth token theft bypasses traditional password‑based controls, exposing a gap in SOC 2 CC6.1 – Logical Access Controls that must be monitored continuously.
- Unchecked API access can undermine the System Operations trust principle, making it difficult to provide a defensible audit trail of who accessed sensitive data.
- Demonstrating robust API‑access governance (token lifecycle management, least‑privilege scopes) is essential evidence for a SOC 2 audit and for maintaining client trust.
Who Is Affected – Enterprises that rely on Google Workspace for email, spanning technology, finance, professional services, and other SaaS‑heavy sectors.
Recommended Actions
- Enforce strict OAuth‑app vetting policies and enforce least‑privilege scopes for third‑party applications.
- Deploy continuous monitoring of Google API activity (anomalous token usage, geographic anomalies) and retain logs as audit evidence.
- Update incident‑response playbooks to include OAuth‑token compromise scenarios and conduct tabletop exercises.
Source: The Hacker News
Technical Notes – The malware leverages social engineering to trick users into granting OAuth consent, then harvests refresh tokens via the Google API. No specific CVE is cited; the vector is credential‑type token abuse. Data at risk includes email content, attachments, and any linked Drive files.
Source: Kaspersky report, 2026