Russia's APT28 hijacks 18,000 home routers to harvest Office 365 tokens
Forest Blizzard turned end-of-life MikroTik and TP-Link boxes into DNS pivots, ran AiTM against Outlook on the web, and stole post-MFA OAuth tokens at scale.
Microsoft, the UK NCSC, and Lumen’s Black Lotus Labs published a coordinated set of advisories this week on a long-running Russian intelligence campaign. The attribution is GRU Unit 26165, the unit known variously as APT28, Fancy Bear, and Forest Blizzard. The mechanism is the interesting bit, and the mechanism is what makes this worth the editorial inches.
There is no malware on the router. There is no phishing of user credentials. The campaign exploits known vulnerabilities in older, end-of-life MikroTik and TP-Link routers — the kind that sit in home offices and serviced-office buildings and the third-party email-hosting providers that serve government departments. The exploit changes the router’s DNS settings so that traffic from any device on the network resolves through attacker-controlled DNS servers running on commodity VPS infrastructure. From there, adversary-in-the-middle interception against Outlook on the web (and other Microsoft 365 endpoints) pulls the OAuth authentication token that gets transmitted after MFA has already succeeded. With the post-MFA token in hand, the attacker has the account. No further login. No suspicious sign-in. No second factor to defeat — the MFA happened legitimately, on the legitimate user’s device, and the token was lifted from the wire on the way back.
Microsoft has identified more than two hundred organisations and roughly five thousand consumer devices implicated. The targeting skews toward foreign-affairs ministries, law-enforcement bodies, and the third-party email providers servicing those institutions. NCSC’s August 2025 “Authentic Antics” report, which covered an earlier wave of the same group’s token-theft work, ties the chain together.
The defender lesson is the one we keep coming back to: the corporate perimeter is wherever your tokens live, not where the office network ends. Three controls actually matter against this class of attack. Token-binding so that an OAuth token is cryptographically tied to the device it was issued on, and rejected when replayed elsewhere. Conditional access policies that fail closed when the resolver path or network egress changes shape mid-session. And, prosaically, replacing the end-of-life consumer routers in any network you’d trust to handle corporate sessions — including the home networks of your senior staff. The router is no longer a personal device. It’s a perimeter component for whatever cloud account is running through it.