State-sponsored threat actors are bypassing endpoint security controls by compromising legacy network hardware to steal cloud authentication tokens. This campaign targets the underlying network trust model to achieve persistent access without ever deploying malware on the user’s workstation.
The Russian-linked unit Forest Blizzard ❨APT28❩ has compromised over 18,000 SOHO routers by exploiting known flaws in older Mikrotik and TP-Link devices. Once a router is compromised‚ the attackers modify DNS settings to redirect authentication traffic to their own servers. This allows for the silent capture of OAuth tokens from @[Microsoft](urn:li:organization:1035) Office users across the entire local network.
Attackers prioritize “unmanaged” edge devices because they lack the telemetry and automated patching of modern endpoints. By hijacking DNS at the router level‚ the adversary effectively owns every session originating from that network without ever needing to trigger local endpoint detection.
– Identify and decommission all end-of-life SOHO routers from remote worker environments and satellite offices.
– Enforce the use of encrypted DNS ❨DNS-over-HTTPS❩ across all managed endpoints to prevent network-layer redirection.
– Transition to phishing-resistant MFA and enforce Conditional Access policies that require managed device compliance.
– Audit @[Microsoft](urn:li:organization:1035) Entra ID logs for anomalous sign-in events originating from non-standard IP ranges.
Network-layer trust is a relic of the past; security must be enforced at the identity and browser layers to survive compromised infrastructure. #CodeDefence #APT28 #Microsoft365 #NetworkSecurity
/