Russia Hijacked Router DNS for M365 OAuth — We Already Wrote the Pattern

# Russia Hijacked Router DNS for M365 OAuth — We Already Wrote the Pattern

Lumen Black Lotus Labs and Microsoft Threat Intelligence disclosed yesterday that Russia's GRU APT 28 — Forest Blizzard, Fancy Bear — quietly compromised more than eighteen thousand SOHO and end-of-life routers across the world during 2025 to harvest Microsoft 365 OAuth tokens. Two hundred organizations and five thousand consumer devices were caught in the dragnet at peak in December 2025. No malware was deployed on a single one of those routers. Brian Krebs published the breakdown April 7, 2026.

The technique is plain. Use known router CVEs to overwrite the DNS settings on an unpatched edge device. Point the device at attacker-controlled DNS servers running on a small number of VPS hosts. Sit between the user and Outlook on the web. Wait for the user to complete multi-factor authentication. Steal the post-MFA OAuth bearer token. Replay it against the user's mailbox from anywhere.

We have written about this pattern. Twice.

OAuth's Trojan Horse — January 2026

Three months before Lumen disclosed Forest Blizzard's router hijack, we published OAuth's Trojan Horse: When Drift Became the Attack Vector (https://www.dugganusa.com/post/oauth-s-trojan-horse-when-drift-became-the-attack-vector). The argument was specific: post-MFA OAuth bearer tokens are the new credential, and credential theft is migrating from "phish the password" to "intercept the token after MFA succeeds." Phishing the password gets harder as MFA spreads. Intercepting the bearer token after MFA gets easier as more enterprise applications standardize on OAuth flows that produce long-lived tokens. The defender's mental model is "MFA defeats this." The attacker's mental model is "MFA produces the artifact I want."

The Forest Blizzard campaign is exactly that pattern at scale. They did not phish a single user. They did not deploy malware to any of the eighteen thousand routers. They sat between the network and Outlook on the web, observed completed MFA flows, and walked off with the bearer tokens. The compromised router is the man in the middle. The Microsoft authentication endpoint never sees anything wrong because the user's MFA actually succeeds. The token is real. The user is real. The session is hijacked.

Trust Is the Vector — February 2026

Six weeks before Lumen disclosed, we published Trust Is the Vector. Every Major Attack This Week Exploited Something You Trusted. (https://www.dugganusa.com/post/trust-is-the-vector-every-major-attack-this-week-exploited-something-you-trusted) The thesis was that the modern attack surface is not vulnerable software, it is trusted relationships. The attacker does not need a zero-day if they can compromise the thing the victim already trusts. Trust the router to resolve DNS. Trust the DNS server to point you at the real Outlook endpoint. Trust the TLS certificate to prove you reached Microsoft. Trust the MFA prompt to mean you are alone with Microsoft on the wire.

Forest Blizzard broke the first trust — the router resolves DNS faithfully — and every subsequent trust collapsed. The user's TLS connection terminated on the attacker's VPS, not Microsoft's. The certificate was real for the attacker's domain because the attacker controlled the resolution path. Microsoft's authentication ran successfully against a real session that the attacker forwarded through. Every defensive layer worked exactly as designed; the design was wrong about which DNS servers to trust.

This is the pattern Krebs's source called "old-school, graybeard." It is not. It is the most modern attack class in the threat landscape, because every other layer of defense — endpoint, identity, application — has been hardened for a decade while the resolver between the laptop and the Internet has been left in a closet on top of a bookshelf where it was installed in 2018.

The APT 28 Threat Brief — February 5, 2026

Almost three months before this week's disclosure, we published Threat Brief: February 5, 2026 — APT28 Goes Live, Supply Chains Under Fire (https://www.dugganusa.com/post/threat-brief-february-5-2026-apt28-goes-live-supply-chains-under-fire). At the time, the public threat data on APT 28 / Forest Blizzard was the August 2025 NCSC report describing a small, malware-based router operation. Our note flagged that GRU operations characteristically scale once disclosed — they do not stop, they migrate. Lumen's Apr 7 disclosure confirmed exactly that migration. The day after NCSC published in August 2025, Forest Blizzard ditched the malware approach and switched to mass DNS-rewriting on every vulnerable router they could reach. Disclosure did not deter them. Disclosure was the trigger to industrialize.

That is the lesson that does not show up in the vendor briefings. Public attribution does not slow Russian military intelligence. Public attribution accelerates them, because they read the report, they understand which TTPs are now burned, and they move to the next set. The defender's window between disclosure and hardening is the attacker's window between technique exposure and tool retooling. Forest Blizzard retooled in twenty-four hours. Most defenders have not patched the routers in twenty-four months.

What's New, What's Not

What is new this week: the scale. Eighteen thousand routers is an order of magnitude larger than any previously disclosed Russian SOHO compromise. Two hundred organizations across foreign affairs ministries, law enforcement agencies, and third-party email providers is a target list shaped like the GRU's intelligence requirements rather than a financial crime portfolio. The shift from malware-based router compromise to malware-free DNS rewriting is also new — it removes the artifact most endpoint detection tools rely on.

What is not new: the OAuth token theft model, the man-in-the-middle on completed MFA, the idea that compromised infrastructure between a user and a SaaS application is the soft underbelly of cloud security. We wrote those words in January and February. Lumen and Microsoft confirmed them in April. The disclosure validates the prediction.

What We Indexed Today

Our IOC index now carries the Forest Blizzard router-DNS hijack campaign as a tracked threat actor entry. No file IOCs were published — there are none, because no malware was deployed — but the behavioral indicators are searchable: unexpected DNS-server changes on consumer routers, DNS resolution to a small number of VPS networks, AiTM patterns against Outlook on the web, post-MFA OAuth token use from unexpected ASNs.

We also indexed the two CISA KEV additions from April 28: CVE-2024-1708 in ConnectWise ScreenConnect and CVE-2026-32202 in Microsoft Windows Shell, both with a federal due date of May 12, 2026. We indexed the cPanel critical authentication-bypass disclosed today as CVE-2026-33032 and CVE-2026-34197. And we indexed CVE-2026-42208 in BerriAI's LiteLLM Python AI gateway — a critical SQL injection patched April 19 that was exploited in the wild within twenty-six hours and seven minutes of the GitHub advisory being indexed, against the database tables that hold OpenAI organization keys, Anthropic console keys, and AWS Bedrock IAM credentials. Source IPs 65.111.27.132 and 65.111.25.67 are tagged on the LiteLLM exploitation entries.

If your SIEM pulls our STIX feed, all of this is now downstream of you.

What to Do Tonight

For consumer router operators reading this: log into the router. Check the DNS server settings. They should be your ISP's resolver or a known public resolver — Cloudflare 1.1.1.1, Google 8.8.8.8, Quad9 9.9.9.9. If you see DNS server addresses that do not match those — particularly addresses in small VPS networks you do not recognize — your router is in the dragnet. Reset to factory defaults, update firmware to the latest available, change the admin password, and re-establish DNS to a known resolver. If your router is past end-of-life and the manufacturer no longer publishes updates, replace it. The FCC's March 23, 2026 ruling against foreign-made consumer routers exists because this risk is real, not theoretical.

For enterprise security teams: assume any user who connects from a SOHO network in the last six months has had their DNS path compromised at some point. Audit M365 sign-in logs for sessions that completed MFA from one ASN and then exhibited token use from a different ASN within the next twenty-four hours. That is the AiTM signature. Conditional access policies that require device compliance — not just MFA — defeat this attack because the attacker's session does not run from a managed device. If your conditional access posture relies on MFA alone, you are in the threat model.

For everyone running OAuth flows against any SaaS application: the attack surface is the bearer token, not the password. Token lifetimes, token binding, sender-constrained tokens, and continuous access evaluation are the controls that matter. Anything that leaves a long-lived bearer token on a wire the attacker can man-in-the-middle is exposing the credential of record.

The Pattern, Once More

We wrote the OAuth bearer token theft pattern in January. We wrote the trust-is-the-vector frame in February. We wrote the APT 28 retooling-after-disclosure note in early February. Lumen and Microsoft published the eighteen-thousand-router confirmation in April. The disclosure cycle is consistent — pattern detection precedes vendor-grade attribution by months, and our archive becomes the recall memory for the patterns we already named.

Forest Blizzard did not need malware. They needed a router whose DNS settings could be rewritten and a defender whose mental model stopped at MFA. The first part is a million-dollar VPS infrastructure problem. The second part is the entire industry's mental model. Fix the second one and the first one stops mattering.

We will keep watching the routers. The IOCs are indexed.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.