Russian Hackers Steal Microsoft Office Tokens via Router DNS Hijacking

Russian military intelligence units are utilizing known vulnerabilities in older internet routers to harvest authentication tokens from Microsoft Office users. The spying campaign allowed state-backed hackers to siphon these tokens from more than 18,000 networks without the need to deploy malicious software or code.

Microsoft announced on April 7, 2026, that it identified more than 200 organizations and 5,000 consumer devices caught in this surveillance network. The operation is attributed to a Russia-backed threat actor known as Forest Blizzard, also identified as APT28 and Fancy Bear.

Forest Blizzard is linked to the military intelligence units within Russia’s General Staff Main Intelligence Directorate (GRU), specifically Military Unit 26165. This group was previously known for compromising the Democratic National Committee, the Democratic Congressional Campaign Committee, and the Hillary Clinton campaign during the 2016 U.S. Presidential election.

DNS Hijacking and Token Theft

Researchers at Black Lotus Labs, a security division of the internet backbone provider Lumen, found that the campaign reached its peak in December 2025. The hackers primarily targeted government agencies, including law enforcement, third-party email providers, and ministries of foreign affairs.

The attackers focused on older MikroTik and TP-Link devices designed for the Small Office/Home Office (SOHO) market. Rather than installing malware, the GRU hackers exploited known vulnerabilities to modify the Domain Name System (DNS) settings of the routers. This allowed them to redirect DNS requests to servers controlled by the attackers.

DNS is the system that translates familiar website addresses into IP addresses. By hijacking this process, Forest Blizzard redirected users to fraudulent DNS records that mimicked legitimate services, such as Microsoft Outlook Web Access.

This method enabled adversary-in-the-middle (AiTM) attacks on Transport Layer Security (TLS) connections. Once the router was reconfigured, the attackers could intercept OAuth authentication tokens transmitted by users on the local network.

Because these tokens are typically issued only after a user has successfully completed a login and multi-factor authentication (MFA), the attackers could gain direct access to victim accounts. This bypassed the need to phish for passwords or one-time codes.

Everyone is looking for some sophisticated malware to drop something on your mobile devices or something. These guys didn’t use malware. They did this in an old-school, graybeard way that isn’t really sexy but it gets the job done.

Ryan English, Black Lotus Security Engineer

Tactical Evolution and Government Response

The scale of this operation represents a shift in Forest Blizzard’s tactics. According to Danny Adamitis of Black Lotus Labs, the group previously used malware to control a smaller, more targeted group of routers. Following a report from the U.K. National Cyber Security Centre (NCSC) in August 2025, the group abandoned the malware approach in favor of mass-altering DNS settings on any vulnerable router they could find.

On April 7, 2026, the U.S. Department of Justice and the FBI announced a court-authorized technical operation to neutralize the U.S. Portion of this SOHO router network. The Justice Department stated that the GRU actors had been exploiting TP-Link router vulnerabilities since at least 2024 to facilitate these hijacking operations against individuals in critical infrastructure, government, and military sectors.

The vulnerability of foreign-made hardware has prompted broader regulatory action in the United States. On March 23, 2026, the Federal Communications Commission (FCC) announced it would no longer certify consumer-grade internet routers produced outside of the U.S.

The FCC described poorly secured, foreign-made routers as an untenable national security threat that could be used to disrupt critical infrastructure. While the policy does not affect routers already purchased, manufacturers must now apply for conditional approval from the Department of Homeland Security or the Department of War to receive certification.

Security experts recommend that users of TP-Link and MikroTik routers update their device software immediately to mitigate the risk of DNS hijacking and credential theft.