Russian Hackers Exploit Outdated Routers to Steal Microsoft Office Authentication Tokens

Security researchers have uncovered a large-scale cyber espionage campaign orchestrated by hackers tied to Russia’s military intelligence units. These threat actors are exploiting known vulnerabilities in older Internet routers to silently harvest authentication tokens from Microsoft Office users without deploying any malicious software.

Microsoft disclosed in a blog post that more than 200 organizations and 5,000 consumer devices were ensnared in the stealthy surveillance network. The operation was attributed to a Russia-backed threat actor known as Forest Blizzard, also identified as APT28 and Fancy Bear.

Forest Blizzard is linked to the military intelligence units within Russia’s General Staff Main Intelligence Directorate (GRU). The group has a history of high-profile cyber intrusions, including the 2016 compromise of the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in an attempt to interfere with the U.S. presidential election.

How the Attack Worked: DNS Hijacking Without Malware

Researchers at Black Lotus Labs, the threat intelligence division of Lumen Technologies, found that at its peak in December 2025, the campaign compromised more than 18,000 Internet routers. These devices were primarily unsupported, end-of-life models, or severely outdated, with many being older MikroTik and TP-Link devices marketed to the Small Office/Home Office (SOHO) sector.

Instead of installing malware, the hackers exploited known vulnerabilities to modify the routers’ Domain Name System (DNS) settings. They redirected users to DNS servers controlled by the attackers, enabling them to intercept authentication tokens transmitted after successful logins and multi-factor authentication (MFA).

The U.K.’s National Cyber Security Centre (NCSC) explained in a recent advisory that DNS is the system that translates human-readable website addresses into IP addresses. In a DNS hijacking attack, threat actors manipulate this process to redirect users to malicious sites designed to steal sensitive information.

According to Ryan English, a security engineer at Black Lotus Labs, the attackers reconfigured the compromised routers to use malicious DNS servers hosted on a small number of virtual private servers. Once the DNS settings were altered, the malicious configuration spread to all devices on the local network, allowing the hackers to intercept any OAuth authentication tokens transmitted by users.

Why This Attack Is Particularly Stealthy and Effective

Because OAuth tokens are typically generated after a user successfully logs in and completes MFA, the attackers gained direct access to victim accounts without needing to phish individual credentials or one-time codes. This method bypasses traditional security measures that focus on detecting malware or phishing attempts.

“Everyone is looking for some sophisticated malware to drop something on your mobile devices or something. These guys didn’t use malware. They did this in an old-school, graybeard way that isn’t really sexy but it gets the job done.”

— Ryan English, Security Engineer, Black Lotus Labs

Targets and Impact

The campaign primarily targeted government agencies, including ministries of foreign affairs and law enforcement, as well as third-party email providers. By compromising routers in these networks, the hackers could monitor and intercept communications, potentially gaining access to sensitive data and internal communications.

Microsoft and Lumen have urged organizations to update or replace outdated routers and implement additional security measures to prevent DNS hijacking. The discovery highlights the ongoing threat posed by state-sponsored cyber actors and the importance of maintaining robust cybersecurity hygiene, even against seemingly outdated attack vectors.