Russian hackers steal M365 logins via your router — what to do now
APT28 compromised 18,000 routers to steal Microsoft 365 tokens. Here is how to check if your customers are affected.
Microsoft confirmed on April 7 that Russian APT28 (Fancy Bear) hijacked DNS settings on over 18,000 SOHO routers across 120 countries. The goal: intercept Microsoft 365 authentication traffic and steal OAuth tokens.
The campaign, codenamed FrostArmada, primarily targeted TP-Link and MikroTik routers with known vulnerabilities. Attackers modified DNS settings to redirect all traffic to Microsoft login pages through their own servers, capturing tokens and credentials without deploying any malware on victim machines.
Why this matters for SMBs
This is not a standard phishing attack. Post-authentication token theft means MFA has already been bypassed. Customers relying on Conditional Access policies based on device compliance or network location — but without Continuous Access Evaluation (CAE) — are exposed.
The FBI conducted a court-authorized operation to reset compromised routers, but that does not mean every affected device has been remediated.
What you should do now
-
Check CAE status across all managed tenants. If
Continuous Access Evaluationis not enabled — turn it on. It limits the lifetime of stolen tokens. -
Review sign-in logs in
Entra IDfor unusual token reuse from new IP addresses or locations. -
Inventory customer routers. TP-Link and MikroTik are primary targets. Older firmware with known vulnerabilities should be updated or replaced.
-
Enable token protection in
Conditional Accesswhere supported. It binds tokens to specific devices.
How HaggeBurger can help
We offer a Token Security Health Check — a half-day assessment where we verify CAE, review Conditional Access policies, and check sign-in logs. Want us to check your environment? Contact us.
Source: Microsoft Security Blog — SOHO router compromise leads to DNS hijacking