Forest Blizzard DNS hijacking token-theft campaign against older routers
Campaign
Summary
Hide ▲
Show ▼
Russia-backed Forest Blizzard is running a DNS hijacking campaign against older routers to steal Microsoft Office authentication tokens, putting accounts at risk across more than 18,000 networks. The activity affected more than 200 organizations and 5,000 consumer devices, with the highest volume in December 2025. By changing router DNS settings to attacker-controlled servers, the operators could intercept OAuth tokens after login and multi-factor authentication. That approach enabled account access without deploying malware on the routers or phoning credentials one by one.
Related Happenings
Tycoon2FA device-code phishing campaign targeting Microsoft 365
Campaign
First: 17.05.2026 17:43
Last: 17.05.2026 17:43
Sources 1
About this happening:
The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
CampaignAbout this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
UNC6692 email bombing and Microsoft Teams impersonation campaign
Campaign
First: 25.04.2026 18:07
Last: 25.04.2026 18:07
Sources 1
About this happening:
UNC6692 is running a **social-engineering campaign** that uses **email bombing** and **Microsoft Teams impersonation** to push targets toward remote access and initial compromise....
UNC6692 email bombing and Microsoft Teams impersonation campaign
CampaignAbout this happening: UNC6692 is running a **social-engineering campaign** that uses **email bombing** and **Microsoft Teams impersonation** to push targets toward remote access and initial compromise....
China-nexus hijacked-device proxy network campaign
Campaign
First: 23.04.2026 15:28
Last: 23.04.2026 15:28
Sources 1
About this happening:
China-nexus hackers are **increasingly using** large-scale proxy networks of hijacked consumer devices to **evade detection**, making malicious traffic harder to trace and block....
China-nexus hijacked-device proxy network campaign
CampaignAbout this happening: China-nexus hackers are **increasingly using** large-scale proxy networks of hijacked consumer devices to **evade detection**, making malicious traffic harder to trace and block....
Scattered Spider SMS phishing and SIM-swap crypto theft campaign
Campaign
First: 20.04.2026 16:33
Last: 20.04.2026 16:33
Sources 1
About this happening:
The **Scattered Spider** campaign used **SMS phishing** and **SIM swap** attacks to steal employee credentials, hijack phone numbers, and take over email and **virtual currency wa...
Scattered Spider SMS phishing and SIM-swap crypto theft campaign
CampaignAbout this happening: The **Scattered Spider** campaign used **SMS phishing** and **SIM swap** attacks to steal employee credentials, hijack phone numbers, and take over email and **virtual currency wa...
Sharp rise in brute-force attempts against SonicWall and Fortinet edge devices
Target Trend
First: 15.04.2026 12:30
Last: 15.04.2026 12:30
Sources 1
About this happening:
A **sharp rise** in brute-force attempts against **SonicWall** and **Fortinet** edge devices is increasing risk of perimeter-device compromise across organizations that rely on VP...
Sharp rise in brute-force attempts against SonicWall and Fortinet edge devices
Target TrendAbout this happening: A **sharp rise** in brute-force attempts against **SonicWall** and **Fortinet** edge devices is increasing risk of perimeter-device compromise across organizations that rely on VP...
Timeline
-
07.04.2026 20:02 2 articles · 1mo ago
Forest Blizzard DNS hijacking campaign against Microsoft Office users disclosed
Initial DisclosureMicrosoft and Black Lotus Labs described a Russia-backed Forest Blizzard operation, also known as APT28, Fancy Bear, and GRU-linked activity, that used known flaws in older Mikrotik and TP-Link SOHO routers to rewrite DNS settings, route users to attacker-controlled servers, and intercept Microsoft Office OAuth authentication tokens after login and multi-factor authentication across more than 18,000 networks, more than 200 organizations, and 5,000 consumer devices.
Show sources
- Russia Hacked Routers to Steal Microsoft Office Tokens — krebsonsecurity.com — 07.04.2026 20:02
- Russia Hacked Routers to Steal Microsoft Office Tokens — krebsonsecurity.com — 07.04.2026 20:02