Who was responsible for the recent mass harvesting of authentication tokens from Microsoft Office users?

APT28 (also known as Fancy Bear or Forest Blizzard), a group of Russian state-sponsored hackers.

How did APT28 carry out the attack?

They exploited known vulnerabilities in older Internet routers to hijack DNS settings and intercept OAuth authentication tokens from Microsoft Office users.

Which organizations were primarily targeted by this attack?

Government agencies were the primary targets of this attack.

What was the scale of this attack?

The attack affected over 18,000 networks and compromised more than 200 organizations and 5,000 consumer devices.

APT28 Hackers Mass Harvest Microsoft Office Tokens via Older Routers

Q: Why is this attack significant in the industry?

This attack highlights the critical need for organizations to secure network infrastructure, especially as remote work increases reliance on home and small office routers.

Russian state-sponsored hackers exploit known vulnerabilities in older routers to intercept authentication tokens from Microsoft Office users, affecting over 18,000 networks.

Russian state-sponsored hackers have been exploiting known vulnerabilities in older Internet routers to mass harvest authentication tokens from Microsoft Office users, affecting over 18,000 networks. The attackers, identified as APT28 (also known as Fancy Bear or Forest Blizzard), used a stealthy and remarkably simple method to intercept the tokens without deploying any malicious software or code.

What Happened

The campaign was detailed by security researchers on April 7, 2026, and has been described as one of the more operationally disciplined token-theft operations observed from a nation-state actor in recent years. The attackers targeted government agencies, law enforcement, and third-party email providers, compromising over 200 organizations and 5,000 consumer devices.

According to Microsoft, the Forest Blizzard activity used DNS hijacking "to support post-compromise adversary-in-the-middle (AiTM) attacks on Transport Layer Security (TLS) connections against Microsoft Outlook on the web domains." The software giant said while targeting SOHO devices isn't a new tactic, this is the first time Microsoft has seen Forest Blizzard using "DNS hijacking at scale to support AiTM of TLS connections after exploiting edge devices."

Researchers at Black Lotus Labs found that at the peak of its activity in December 2025, Forest Blizzard's surveillance dragnet ensnared more than 18,000 Internet routers that were mostly unsupported, end-of-life routers, or else far behind on security updates. A new report from Lumen says the hackers primarily targeted government agencies.

Background and Context

The exploitation of outdated routers by state-sponsored actors highlights the critical need for organizations to secure network infrastructure, especially as remote work increases reliance on home and small office routers. Ensuring devices are updated and monitoring for unauthorized DNS changes are essential to prevent similar attacks.

APT28 exploited known vulnerabilities in outdated routers to hijack DNS settings, redirecting user traffic through attacker-controlled servers. This allowed them to intercept OAuth authentication tokens from Microsoft Office users, granting unauthorized access to sensitive accounts. The attackers maintained control over compromised routers to facilitate ongoing data interception and exfiltration.

Why It Matters to the Industry

The attack model used by Forest Blizzard is particularly effective because it bypasses traditional security measures. Authentication tokens are the keys to the kingdom in a cloud-first environment, and when an attacker possesses a valid token, they can gain access to sensitive accounts without triggering any anomalous login alerts.

Targeting the router layer is a calculated choice. Routers are frequently running outdated firmware, are rarely monitored with the same rigor as endpoints or servers, and sit in an architecturally privileged position – all traffic passes through them. By compromising a router with a known, unpatched vulnerability, attackers gain a passive sensor that requires no ongoing interaction and generates no endpoint telemetry.

Experts have countered that few new consumer-grade routers would be available for purchase under the new FCC policy (besides maybe Musk's Starlink satellite Internet routers, which are produced in Texas). The FCC says router makers can apply for a special "conditional approval" from the Department of War or Department of Homeland Security, and that the new policy does not affect any previously-purchased consumer-grade routers.

What Comes Next

The incident underscores the critical need for organizations to secure network infrastructure. Ensuring devices are updated and monitoring for unauthorized DNS changes are essential to prevent similar attacks. The exploitation of outdated routers by state-sponsored actors highlights the urgent need for organizations to prioritize network security, especially as remote work increases reliance on home and small office routers.

Key Facts

The attackers used a stealthy and remarkably simple method to intercept authentication tokens without deploying any malicious software or code.
The campaign affected over 18,000 networks, compromising over 200 organizations and 5,000 consumer devices.
APT28 exploited known vulnerabilities in outdated routers to hijack DNS settings, redirecting user traffic through attacker-controlled servers.
The attackers maintained control over compromised routers to facilitate ongoing data interception and exfiltration.
The stolen tokens enabled access to confidential information, leading to potential data breaches and espionage activities.
Experts have countered that few new consumer-grade routers would be available for purchase under the new FCC policy.