HACKERS linked to Russia’s military intelligence units leveraged known flaws in older Mikrotik and TP-Link SOHO routers to harvest OAuth tokens from Microsoft Office users without deploying malware. At the peak of activity in December 2025, the operation ensnared more than 18,000 internet routers, many end-of-life or poorly updated, and the attackers redirected DNS requests to servers they controlled to inject their settings across local networks.
This enabled post-compromise adversary-in-the-middle access to TLS connections, undermining security for users of Microsoft Office services and facilitating token theft even after users had logged in and passed multi-factor authentication. Microsoft said the activity involved more than 200 organisations and 5,000 consumer devices, with the initiative described as a scalable DNS hijacking operation to support AiTM on Outlook on the web domains.
According to Microsoft, the group, known as Forest Blizzard, is attributed to Russia’s GRU and is also known as APT28 and Fancy Bear. This entry was posted on 7 April 2026.