The ToddyCat APT group has evolved its methods to gain covert access to corporate email. The report details their use of PowerShell-based TomBerBil for extracting browser data, TCSectorCopy for copying Outlook OST files, and attempts to steal OAuth tokens from Microsoft 365 processes. These tools allow the attackers to bypass security monitoring and access email data both on-premises and in the cloud. The group's tactics include using SMB to remotely access files, dumping process memory, and searching for access tokens. Detection recommendations are provided for each technique.