Russia Hacked Routers to Harvest Microsoft Office Tokens – Inside the Massive DNS Hijack
# A Silent Infiltration: How Russian Actors Turned Home Routers into Token Harvesters A coordinated Russian cyber‑espionage operation leveraged outdated consumer routers to siphon Microsoft Office OAuth tokens from thousands of users. Security researchers at Black Lotus Labs uncovered a sophisticated DNS hijack that rerouted legitimate queries from compromised Mikrotik and TP‑Link devices to attacker‑controlled servers, enabling the mass collection of authentication tokens during a peak period in December 2025. ## Key Takeaways - **Scope of compromise:** Approximately 18,000 aging Mikrotik and TP‑Link routers were subverted, exposing the home and small‑office networks of countless individuals and enterprises. - **Technical vector:** The attackers manipulated unpatched DNS configuration settings on the devices, redirecting outbound DNS requests to malicious resolvers under their control. - **Data harvested:** By intercepting authentication flows, the actors extracted Microsoft Office OAuth tokens, granting them potential access to corporate mailboxes, SharePoint sites, and other Office 365 resources. - **Timeline:** Activity surged in December 2025, aligning with broader geopolitical cyber campaigns attributed to Russian state‑aligned groups. - **Discovery:** Black Lotus Labs, the security arm of Lumen, identified the campaign through anomalous DNS traffic patterns and reverse‑engineered the malicious firmware modifications. - **Risk implications:** The incident highlights the persistent danger posed by unmaintained networking hardware, especially devices that lack automated update mechanisms. - **Mitigation guidance:** Organizations are urged to inventory IoT and router assets, enforce strict DNS security policies, and apply vendor patches or replace end‑of‑life equipment promptly. - **Broader impact:** The theft of OAuth tokens can facilitate lateral movement within target networks, bypassing traditional credential‑based defenses. #RussiaCyberattack #RouterHijack #OAuthTheft #Mikrotik #TPLink #DNSHijack #MicrosoftOffice #Cyberespionage #BlackLotusLabs #newsababil360 [Read Full Article](https://news.ababil360.com/russia-hacked-routers-to-harvest-microsoft-office-tokens-inside-the-massive-dns-hijack/)















