Russia Hacked Routers to Steal Microsoft Office Tokens

Forest Blizzard (APT28/Fancy Bear), a GRU-linked threat actor, exploited known vulnerabilities in outdated SOHO routers (primarily Mikrotik and TP-Link) to change DNS settings at scale and redirect traffic to attacker-controlled DNS servers. By harvesting OAuth authentication tokens and performing AiTM on TLS connections to Microsoft Outlook on the web, the campaign—peaking in December 2025—compromised over 18,000 routers and affected 200+ organizations, focusing on government ministries, law enforcement, and third-party email providers.