Security researchers have discovered that the ToddyCat threat group is using malware called Umbrij that exploits OAuth authentication to access Gmail accounts through Google's API. This technique allows attackers to bypass traditional security measures by leveraging legitimate Google services, making the malicious activity harder to detect. The discovery highlights a sophisticated evolution in cyberattack methods, where threat actors are increasingly abusing trusted authentication protocols to maintain persistent access to targeted email accounts.