State-sponsored threat actors are bypassing endpoint security by compromising legacy network hardware to intercept authentication tokens from cloud services. This stealthy campaign targets the underlying network trust model to achieve persistent access without deploying malware.
The Russian military intelligence unit Forest Blizzard ❨APT28❩ has compromised over 18,000 SOHO routers by exploiting known vulnerabilities in end-of-life Mikrotik and TP-Link devices. Once the router is compromised‚ the attackers modify DNS settings to redirect authentication requests to actor-controlled servers. This allows for the silent capture of OAuth tokens from @[Microsoft](urn:li:organization:1035) Office users on the local network.
Attackers are increasingly focusing on “unmanaged” edge devices because they lack the telemetry and automated patching cycles of modern endpoints. By hijacking DNS at the router level‚ the adversary effectively “owns” every session originating from that network without ever needing to touch the victim’s workstation.
– Identify and decommission all end-of-life SOHO routers from remote worker environments and corporate satellite offices.
– Enforce the use of encrypted DNS ❨DNS-over-HTTPS or DNS-over-TLS❩ across all managed endpoints to prevent network-layer redirection.
– Transition to phishing-resistant MFA and strictly enforce Conditional Access policies that require managed device compliance.
– Audit @[Microsoft](urn:li:organization:1035) Entra ID logs for anomalous sign-in events originating from residential or non-standard IP ranges.
Network-layer trust is a relic of the past; security must be enforced at the identity and browser layers to survive compromised infrastructure. #CodeDefence #APT28 #Microsoft365 #NetworkSecurity
/