Russia Leverages Routers for Stealthy Microsoft Token Heist

State-sponsored threat actors linked to Russian military intelligence are reportedly exploiting vulnerabilities in outdated internet routers to pilfer Microsoft Office authentication tokens en masse. Cyber Threat Intelligence reports that this sophisticated campaign, attributed to a group known as Forest Blizzard (also tracked as APT28 and Fancy Bear), sidesteps the need for traditional malware deployment. Instead, the attackers manipulate Domain Name System (DNS) settings on vulnerable routers, redirecting traffic to harvest sensitive tokens directly from unsuspecting users.

According to findings detailed by Black Lotus Labs, a division of Lumen, Forest Blizzard’s operations peaked in December 2025, compromising over 18,000 routers. The majority of these devices were end-of-life models or significantly lacking in security updates, primarily from MikroTik and TP-Link. The campaign focused heavily on government entities, including ministries of foreign affairs, law enforcement agencies, and third-party email providers, underscoring a strategic focus on sensitive data access.

Microsoft confirmed that the campaign impacted over 200 organizations and 5,000 consumer devices. The simplicity and effectiveness of this method highlight a persistent threat vector: the exploitation of unpatched and end-of-life network infrastructure. By redirecting DNS requests, Forest Blizzard created a quiet yet pervasive espionage network, demonstrating how attackers can achieve significant gains by targeting foundational network components rather than relying solely on endpoint compromises.