★ 8/10 · Security · 2026-04-07

Russia Hacked Routers to Steal Microsoft Office Tokens

The threat actor Forest Blizzard (also known as APT28 or Fancy Bear) is exploiting vulnerabilities in legacy and unpatched SOHO routers to perform large-scale DNS hijacking. This technique allows attackers to intercept...

Captured 2026-04-07 17:02

Russia Hacked Routers to Steal Microsoft Office Tokens

Summary

The threat actor Forest Blizzard (also known as APT28 or Fancy Bear) is exploiting vulnerabilities in legacy and unpatched SOHO routers to perform large-scale DNS hijacking. This technique allows attackers to intercept Microsoft Office OAuth authentication tokens, enabling unauthorized access to accounts even when multi-factor authentication (MFA) is enabled.

Key Points

  • Targeted Hardware: Primarily older, unsupported, or end-of-life Mikrotik and TP-Link Small Office/Home Office (SOHO) routers.
  • Attack Scale: At its peak in December 2025, the campaign involved more than 18,000 compromised routers, affecting over 200 organizations and 5,000 consumer devices.
  • Mechanism: DNS hijacking via the modification of router DNS settings to point to attacker-controlled virtual private servers (VPS).
  • Attack Vector: Adversary-in-the-middle (AiTM) attacks targeting Transport Layer Security (TLS) connections for Microsoft Outlook on the web.
  • Authentication Bypass: The method intercepts OAuth authentication tokens after the user has successfully completed multi-factor authentication (MFA).

Technical Details

The attack avoids the deployment of traditional malware on the targeted edge devices, instead leveraging known vulnerabilities to reconfigure the Domain Name System (DNS) settings of the routers. By redirecting DNS queries to malicious servers controlled by the threat actor, the attackers can propagate malicious settings to all users on the local network.

Once the DNS traffic is redirected, the attackers execute an adversary-in-the-middle (AiTM) attack on TLS-encrypted connections. This allows them to intercept OAuth authentication tokens as they are transmitted during the login process for Microsoft Outlook on the web. Because these tokens are generated and transmitted only after a user has successfully authenticated via MFA, the attackers can hijack the authenticated session without needing to intercept primary credentials or one-time passwords (OTPs).

Impact / Why It Matters

Organizations must prioritize the decommissioning of end-of-life networking hardware and ensure all edge devices are running current, patched firmware. Relying exclusively on MFA is insufficient if the underlying network infrastructure is compromised, as the attack targets the post-authentication token exchange.

security cyberattack microsoft-office

↳ Sources