Russian State Actors Hijack 18,000 Routers to Bypass MFA and Steal Office Tokens

Summary

A Russian state-sponsored threat actor, known as Forest Blizzard (APT28/Fancy Bear), has been identified conducting a massive DNS hijacking campaign targeting older SOHO (Small Office/Home Office) routers. By exploiting known vulnerabilities in unpatched devices, the group redirected DNS traffic to intercept Microsoft Office/Outlook authentication tokens at scale. This operation affected over 18,000 networks, including government agencies and law enforcement.

What happened

Research from Microsoft and Lumen’s Black Lotus Labs reveals that Forest Blizzard shifted away from deploying custom malware toward a "low-tech" but highly effective DNS hijacking strategy. After gaining access to vulnerable routers—primarily older MikroTik and TP-Link models—the attackers modified DNS settings to point to attacker-controlled servers.

When users on these networks attempted to access Microsoft Outlook on the web, their traffic was routed through an adversary-in-the-middle (AiTM) infrastructure. This allowed the actors to capture OAuth authentication tokens. Because these tokens are generated after a successful login and MFA challenge, the attackers gained direct access to victim mailboxes without needing to bypass MFA or phish for credentials.

Why it matters

This campaign is significant because it bypasses modern MFA protections by stealing post-authentication session tokens. By targeting the network infrastructure (routers) rather than the endpoint, the attackers remain invisible to traditional antivirus and EDR solutions. The scale—18,000 networks—indicates a systemic attempt to harvest intelligence from government and critical third-party entities.

Affected systems

• Legacy SOHO Routers: Specifically older MikroTik and TP-Link devices that are end-of-life (EoL) or unpatched.
• Microsoft 365/Outlook Web Users: Users connecting via compromised networks are at risk of token theft.
• Targeted Verticals: Government agencies, ministries of foreign affairs, law enforcement, and email service providers.

Recommended actions

1. Audit Edge Infrastructure: Identify and replace any end-of-life or unsupported SOHO routers within your network and at employee remote-work locations.
2. Verify DNS Settings: Ensure routers are configured to use trusted, encrypted DNS (such as DNS over HTTPS/TLS) and verify that settings have not been unauthorizedly changed.
3. Implement Token Protections: Enable Microsoft Entra ID (formerly Azure AD) features like Token Binding or Continuous Access Evaluation (CAE) to reduce the lifespan and portability of stolen tokens.
4. Enforce Managed VPNs: Require remote users to utilize a managed VPN, ensuring traffic is encapsulated and bypasses local DNS settings on potentially untrusted home/SOHO hardware.
5. Rotate Sessions: If a compromise is suspected, revoke all active Refresh Tokens for the affected users to force a re-authentication that can be monitored.