HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

OAuth‑Abuse Malware “Umbrij” Enables ToddyCat to Access Corporate Gmail via Google API

ToddyCat’s Umbrij malware harvests OAuth refresh tokens to silently read corporate Gmail accounts via Google’s API. The technique sidesteps password controls, highlighting a SOC 2 access‑control gap that must be monitored and documented for audit readiness.

LiveThreat™ Intelligence · 📅 July 02, 2026· 📰 thehackernews.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
1 sector(s)
Actions
3 recommended
📰
Source
thehackernews.com

OAuth‑Abuse Malware “Umbrij” Enables ToddyCat to Access Corporate Gmail via Google API

What Happened — The threat group ToddyCat is deploying a new malware family called Umbrij that abuses OAuth tokens to obtain unauthorized access to Gmail accounts through Google’s API. The campaign targets corporate email communications, allowing attackers to read, forward, and exfiltrate messages without triggering typical credential‑based alerts.

Why It Matters for Compliance & Audit Readiness

  • OAuth token theft bypasses traditional password‑based controls, exposing a gap in SOC 2 CC6.1 – Logical Access Controls that must be monitored continuously.
  • Unchecked API access can undermine the System Operations trust principle, making it difficult to provide a defensible audit trail of who accessed sensitive data.
  • Demonstrating robust API‑access governance (token lifecycle management, least‑privilege scopes) is essential evidence for a SOC 2 audit and for maintaining client trust.

Who Is Affected – Enterprises that rely on Google Workspace for email, spanning technology, finance, professional services, and other SaaS‑heavy sectors.

Recommended Actions

  • Enforce strict OAuth‑app vetting policies and enforce least‑privilege scopes for third‑party applications.
  • Deploy continuous monitoring of Google API activity (anomalous token usage, geographic anomalies) and retain logs as audit evidence.
  • Update incident‑response playbooks to include OAuth‑token compromise scenarios and conduct tabletop exercises.

Source: The Hacker News

Technical Notes – The malware leverages social engineering to trick users into granting OAuth consent, then harvests refresh tokens via the Google API. No specific CVE is cited; the vector is credential‑type token abuse. Data at risk includes email content, attachments, and any linked Drive files.

Source: Kaspersky report, 2026

📰 Original Source
https://thehackernews.com/2026/07/toddycat-linked-umbrij-malware-abuses.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →