The article says hackers tied to Russia’s GRU, tracked as Forest Blizzard or APT28, used known vulnerabilities in older SOHO routers to harvest Microsoft Office authentication tokens on a large scale. Drawing on reporting from Microsoft and Lumen’s Black Lotus Labs, Brian Krebs explains that the attackers compromised mostly outdated MikroTik and TP-Link devices, changed their DNS settings to point at attacker-controlled servers, and then intercepted OAuth tokens after users had already logged in and passed multi-factor authentication. Microsoft said it identified more than 200 organizations and 5,000 consumer devices affected, while Lumen observed the campaign peaking in December 2025 across more than 18,000 routers. The piece stresses that the operation was notable for its simplicity: rather than deploying malware, the attackers relied on DNS hijacking to support adversary-in-the-middle access to Outlook on the web traffic.

Krebs also highlights how the campaign evolved after public scrutiny. According to Black Lotus Labs, Forest Blizzard had previously used malware in a smaller, more selective router operation, but after a U.K. NCSC report in August 2025 the group shifted rapidly toward mass DNS manipulation on any vulnerable device it could reach. The article frames that change as evidence of both the attackers’ adaptability and the continuing danger posed by unsupported or poorly patched edge hardware. It closes by linking the incident to a wider policy debate in the United States over foreign-made consumer routers, noting the FCC’s March 23, 2026 decision to stop certifying new consumer-grade routers produced outside the U.S., while also acknowledging criticism that the rule could sharply limit what products remain available to buyers.

‍

Source: https://krebsonsecurity.com/2026/04/russia-hacked-routers-to-steal-microsoft-office-tokens/