{"id":36412,"date":"2026-07-18T03:19:14","date_gmt":"2026-07-17T16:19:14","guid":{"rendered":"https:\/\/www.kaspersky.com.au\/blog\/google-oauth-email-hijacking-shadow-token-remote-debug\/36412\/"},"modified":"2026-07-18T03:19:14","modified_gmt":"2026-07-17T16:19:14","slug":"google-oauth-email-hijacking-shadow-token-remote-debug","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/google-oauth-email-hijacking-shadow-token-remote-debug\/36412\/","title":{"rendered":"Email hijacking via OAuth"},"content":{"rendered":"<p>When targeting an organization to steal information, maintaining a low profile is critical for attackers. They typically aim for long-term persistence, which requires avoiding security alerts while preserving access in case they\u2019re detected and the organization initiates incident response or routine password resets. Malware such as <a href=\"https:\/\/www.kaspersky.com\/blog\/infostealers-targeted-attacks-business\/52772\/\" target=\"_blank\" rel=\"noopener nofollow\">infostealers<\/a> or ostensibly legitimate remote monitoring and management (RMM) tools fail the first requirement: their use triggers EDR and generates suspicious events in SIEM consoles. Relying on stolen credentials conflicts with the second requirement: the moment the security team suspects a compromise, passwords can be changed immediately \u2014 terminating access. If attackers attempt to <a href=\"https:\/\/www.kaspersky.com\/blog\/types-of-cookie-files-and-how-to-protect-them\/54243\/\" target=\"_blank\" rel=\"noopener nofollow\">steal browser cookies<\/a> instead of passwords, they face a different challenge: many online services now correlate device characteristics with the expected session cookie and block access if the cookie is used on an unrecognized device. Furthermore, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/google-chrome-adds-session-cookie-theft-protection-for-all-users\/\" target=\"_blank\" rel=\"noopener nofollow\">cookie theft protection mechanisms<\/a> implemented in Chromium-based browsers (such as Chrome, Edge, and Opera) this year have made this approach significantly more difficult.<\/p>\n<p>To address this persistence challenge, the <a href=\"https:\/\/securelist.com\/tag\/toddycat\/\" target=\"_blank\" rel=\"noopener\">ToddyCat APT<\/a>\u00a0\u2014 whose main game is spying\u00a0\u2014 developed a novel technique. Kaspersky experts discovered this method during an incident investigation and named it <a href=\"https:\/\/securelist.com\/toddycat-apt-umbrij-tool-and-oauth\/120251\/\" target=\"_blank\" rel=\"noopener\">Shadow Token via Remote Debug<\/a> (STRD). This technique allows the attackers to establish reliable, persistent access to a victim\u2019s mailbox and other resources in Google Workspace. With minor adjustments, the same approach could potentially be adapted to target other services that grant third-party application access via OAuth 2.0 authentication.<\/p>\n<h2>How an STRD attack works<\/h2>\n<p>First, the attackers must compromise the victim\u2019s system with malware. In past campaigns, ToddyCat gained initial access to organizations by exploiting known vulnerabilities in server software and distributing malicious loaders via messaging apps. The specific employee targeted by the attackers might not notice the intrusion at all. This can occur, for example, if the adversary first obtains privileged administrative credentials and uses them to deploy the malware onto targeted machines remotely. Crucially, the deployment and execution of this malware mustn\u2019t trigger immediate security alerts.<\/p>\n<p>Once active, the malware executes an STRD attack, connecting the attackers\u2019 remote service to the victim\u2019s mailbox using the OAuth 2.0 protocol. This process requires no user interaction and shows no visible activity on the screen. To the cloud environment (Google Workspace, in the case at hand), the activity appears as if the user has legitimately authorized a third-party app for email access or data backup.<\/p>\n<p>After that, the malware can terminate its operations and even delete itself from the system. The adversary retains direct access to the mailbox using the acquired OAuth token\u00a0\u2014 and they need no connection to the victim\u2019s endpoint or to the corporate network for that. Depending on the organization\u2019s Google Workspace configuration, this access can persist for an extended period and survive subsequent password resets.<\/p>\n<h2>The core concept of Shadow Token via Remote Debug<\/h2>\n<p>At the heart of this attack is a connection to Google Workspace services via OAuth 2.0. This is a legitimate workflow used whenever a third-party application requests access to calendar data, emails, or Google Drive files. For example, to display calendar meetings in Zoom and automatically generate conference links, a user must authorize Zoom to access Google services. Similarly, configuring a third-party email client or calendar app requires granting permission. During this authorization process, the service requesting access opens a new browser window. In this window, Google Workspace first prompts the user to select the appropriate account. Once the account is chosen, the subsequent screen displays the specific permissions requested by the third-party app, allowing the user to either approve or deny access. For this scenario to proceed seamlessly, the user must already be authenticated to Google services in their browser\u00a0\u2014 which is typically the case in organizations using Google Workspace. If the user isn\u2019t authenticated, additional steps for entering credentials and completing multi-factor authentication are introduced into the sequence.<\/p>\n<p>The ToddyCat hackers developed a malicious tool called <a href=\"https:\/\/securelist.com\/toddycat-apt-umbrij-tool-and-oauth\/120251\/\" target=\"_blank\" rel=\"noopener\">Umbrij<\/a> to facilitate a two-step covert authorization process when the user is already authenticated in Google. First, the malware identifies the browsers installed on the system, and locates the specific folder storing the user\u2019s active profile for each. The attackers target Chrome and Edge, as these are the browsers most likely serving as the primary ones within the organization.<\/p>\n<p>Next, Umbrij copies the entire user profile folder to a different directory on the machine. It then launches an instance of the browser, specifying the path to the duplicated profile via the command line. Because this duplicate profile contains the user\u2019s session cookies, websites with saved credentials won\u2019t prompt for re-authentication. Furthermore, since this occurs on the exact same computer where the primary browser is running, online services detect no anomalies. The browsing history for this newly launched instance is isolated within the new folder, keeping it hidden from the user\u2019s main account activity.<\/p>\n<p>Crucially, the browser is launched in a dedicated debugging mode typically reserved for web development. The browser window and user interface don\u2019t appear on the screen at all (headless mode). Instead, the browser can be controlled through a debugging port using the DevTools protocol, allowing the malware to issue commands and read the state of the screen. To orchestrate these actions, Umbrij leverages Puppeteer, a legitimate automation library.<\/p>\n<p>After verifying that the debugging browser instance has launched successfully, Umbrij opens a legitimate Google Workspace OAuth screen within it. The request sent to Google is engineered to bypass additional security checks while requesting maximum access privileges. For the application ID\u00a0\u2014 the identity supposedly requesting these extensive permissions\u00a0\u2014 the malware impersonates one of two legitimate tools: Google Workspace Migration for Microsoft Outlook (GWMMO), or Google Workspace Sync for Microsoft Outlook (GWSMO).<\/p>\n<p>When Google opens the window within the headless browser, Umbrij uses debugging tools to programmatically click on the corporate account name and the confirmation buttons. As a result, Google generates an authorization code for the app. Umbrij extracts and saves this code, subsequently forwarding it to the attackers\u2019 command-and-control server. Finally, operating entirely within their own infrastructure rather than on the victim\u2019s computer, the attackers exchange this authorization code for an OAuth access token. This single token is all they need to maintain long-term unrestricted access to the mailbox.<\/p>\n<h2>How to protect against OAuth token theft<\/h2>\n<p>If a Google Workspace account is compromised, incident response measures must include the following steps after collecting the necessary logs and other forensic data for investigation:<\/p>\n<ul>\n<li>Resetting the affected user\u2019s password<\/li>\n<li>Terminating all active web sessions for the user<\/li>\n<li>Revoking OAuth tokens and third-party app permissions<\/li>\n<li>Reviewing and removing access granted through legacy App Passwords<\/li>\n<\/ul>\n<p>In addition, security and IT teams must systematically audit issued OAuth permissions, revoke unjustifiable access rights, and restrict capabilities that allow excessive or unauthorized permission grants. We covered this topic in detail in our article on <a href=\"https:\/\/www.kaspersky.com\/blog\/how-to-detect-disable-ai-in-enterprise-top-principles\/55784\/\" target=\"_blank\" rel=\"noopener nofollow\">blocking unwanted AI assistants<\/a>.<\/p>\n<h2>How to prevent exploitation of Shadow Token via Remote Debug<\/h2>\n<p>While Kaspersky users are protected against the Umbrij tool, security teams should proactively implement policies that prevent standard users from launching browsers in debugging mode. This functionality is intended exclusively for website and web app developers. This restriction can be enforced through the DeveloperToolsAvailability group policy (available for both <a href=\"https:\/\/chromeenterprise.google\/policies\/?policy=DeveloperToolsAvailability\" target=\"_blank\" rel=\"noopener nofollow\">Chrome<\/a> and <a href=\"https:\/\/learn.microsoft.com\/en-us\/deployedge\/microsoft-edge-policies\/developertoolsavailability\" target=\"_blank\" rel=\"noopener nofollow\">Edge<\/a>).<\/p>\n<p>Additionally, configure monitoring within your <a href=\"https:\/\/www.kaspersky.com.au\/enterprise-security\/unified-monitoring-and-analysis-platform?icid=au_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">SIEM<\/a>\/<a href=\"https:\/\/www.kaspersky.com.au\/next-xdr-optimum?icid=au_kdailyplacehold_acq_ona_smm__onl_b2b_kdaily_wpplaceholder_sm-team___knext____9333bacda69bec31\" target=\"_blank\" rel=\"noopener\">XDR<\/a> to track the launch of browser instances with an active debugging port. This event serves as a strong indicator of this specific attack technique.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kaspersky-next\">\n","protected":false},"excerpt":{"rendered":"<p>How attackers gain access to corporate services without stealing passwords or cookies: we&#8217;re analyzing the Shadow Token via Remote Debug technique used in ToddyCat APT attacks.<\/p>\n","protected":false},"author":2722,"featured_media":36413,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,2993,2994],"tags":[1218,2639,499,359,2141,816,19,3612,3443,639,187,3655,321,422],"class_list":{"0":"post-36412","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-2fa","11":"tag-accounts","12":"tag-apt","13":"tag-authentication","14":"tag-business","15":"tag-cloud","16":"tag-email","17":"tag-identity-security","18":"tag-mfa","19":"tag-oauth","20":"tag-passwords","21":"tag-sso","22":"tag-technology","23":"tag-threats"},"hreflang":[{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/google-oauth-email-hijacking-shadow-token-remote-debug\/36412\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/google-oauth-email-hijacking-shadow-token-remote-debug\/30909\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/google-oauth-email-hijacking-shadow-token-remote-debug\/25944\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/google-oauth-email-hijacking-shadow-token-remote-debug\/30747\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/google-oauth-email-hijacking-shadow-token-remote-debug\/42297\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/google-oauth-email-hijacking-shadow-token-remote-debug\/56144\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/google-oauth-email-hijacking-shadow-token-remote-debug\/30865\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/google-oauth-email-hijacking-shadow-token-remote-debug\/36307\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.au\/blog\/tag\/2fa\/","name":"2FA"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/36412","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/users\/2722"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/comments?post=36412"}],"version-history":[{"count":0,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/36412\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media\/36413"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media?parent=36412"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/categories?post=36412"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/tags?post=36412"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}