Russia Hacked Routers to Harvest Microsoft Office Tokens – Inside the Massive DNS Hijack

Russia hacked routers to siphon Microsoft Office OAuth tokens from thousands of users, security analysts reported.

How the DNS hijack unfolded

Researchers at Black Lotus Labs, the security arm of Lumen, discovered that the campaign peaked in December 2025, compromising ↓ 18,000 aging Mikrotik and TP‑Link devices. By exploiting unpatched DNS settings, the attackers redirected queries to servers they controlled, allowing a silent man‑in‑the‑middle grab of authentication tokens.

The operation, attributed to the GRU‑linked group known as Forest Blizzard (aka APT28 or Fancy Bear), required no malware drops. Once a router’s DNS was altered, every workstation on the local subnet automatically sent token requests through the hostile resolver, handing the adversary ↑ 5,000 consumer devices and over 200 enterprises full‑account access.

“They didn’t need a fancy payload; they used old‑school router hijacking to breach accounts,” said Black Lotus security engineer Ryan English.

Microsoft’s blog notes the technique enabled “post‑compromise adversary‑in‑the‑middle (AiTM) attacks on TLS connections to Outlook on the web.” The U.K.’s NCSC has issued an advisory warning of similar DNS‑based intrusions (Reuters).

U.S. regulators responded by tightening certification rules for consumer‑grade routers, effectively banning foreign‑made models from future approval (AP News). The move aims to curb the “severe cybersecurity risk” posed by insecure edge devices.