Russia’s military intelligence directorate spent most of 2025 quietly rewriting DNS on a dragnet of end-of-life home routers — and using that single change to siphon Microsoft 365 authentication tokens out of the traffic of their owners. Brian Krebs reported on April 7, 2026 that the campaign touched “more than 18,000” networks at its December 2025 peak, and that the FBI has since moved in with a disruption operation.
The hack chain, in one sentence
The unit behind it is Forest Blizzard, also tracked as APT28 or Fancy Bear, attributed by Microsoft and Black Lotus Labs to the GRU. The campaign targeted foreign-affairs ministries, law-enforcement bodies, and third-party email providers that serve downstream government tenants. Per the Krebs report, the routers were “mainly older Mikrotik and TP-Link devices” marketed for the small-office/home-office segment — unsupported, end-of-life, or years behind on patches.
There is no malware in this chain. Operators used known router vulnerabilities to point the device’s DNS settings at a resolver under GRU control. Every client on the LAN inherited the hostile DNS. Traffic to Microsoft login endpoints then traversed attacker infrastructure, where the OAuth tokens issued after a successful login could be intercepted. A Black Lotus Labs engineer described the approach to Krebs as an “old-school, graybeard way that isn’t really sexy but it gets the job done.”
Why the MFA you deployed did not help
The detail that makes this campaign notable is that it harvests the artifact produced after authentication, not the credentials that feed it. The OAuth bearer tokens Microsoft issues once a user has passed password and MFA checks are the intended key to the service — replaying one grants access by design. Nothing about phishing-resistant FIDO2 keys narrows the window, because the token on the wire is an entirely separate object from the user’s authentication factor.
Targeting appears to have been deliberate rather than opportunistic. Forest Blizzard chose SOHO routers that happened to sit between a regime employee and the internet. The initial access was the router; the payoff was every Microsoft 365 session that device’s users opened from that day forward.
The authorities’ response
Per Bleeping Computer, international authorities have disrupted a chunk of the GRU-controlled DNS infrastructure and reclaimed a portion of the hijacked estate through takedown and sinkhole operations. The disruption does not patch the routers — their owners have to do that, and many will not — so the technique’s half-life is long.
What this means for practitioners
Three implications for security teams whose workforce includes anyone who logs in from a home network:
- The router is now an identity control. If a managed endpoint joins an untrusted home network, the DNS resolver used for Microsoft endpoints belongs to whoever controls that router. Enforcing DNS-over-HTTPS at the client, pinning to a trusted resolver, and refusing router-pushed DNS are no longer niche hardening — they are baseline identity controls.
- Token binding beats token trust. Microsoft’s token protection primitives — proof-of-possession, device-bound session keys, continuous access evaluation — are the mitigations that actually address this campaign. Bearer tokens without binding are stealable; bound tokens are not.
- EOL SOHO hardware is a third-party identity risk. For staff on personal or contractor devices, “harden the router” is not a realistic program. The workable answer is “assume the router is hostile” and route corporate traffic through a trusted tunnel — ZTNA, a device-bound VPN, or a managed DNS resolver that ignores the LAN configuration entirely.
The technique is cheap and the attack surface — unsupported consumer routers — is not going to shrink in the near term. Expect copy-cats.
