DNS Hijacks Used to Steal Microsoft 365 Logins

-



On April 7, 2026, international law enforcement agencies—working with Microsoft and private-sector researchers—disrupted a large-scale DNS hijacking operation that was actively stealing Microsoft 365 credentials by manipulating internet routers worldwide. [bleepingcomputer.com]

The campaign, tracked as FrostArmada, was linked to APT28 (also known as Fancy Bear, Forest Blizzard, or STRONTIUM), a Russia-backed cyber‑espionage group associated with GRU military unit 26165. [bleepingcomputer.com], [ncsc.gov.uk]

Authorities involved in the takedown included:

  • The FBI
  • The U.S. Department of Justice
  • The Polish government
  • Microsoft and Lumen’s Black Lotus Labs

Together, they dismantled key attacker-controlled infrastructure used to redirect traffic and steal credentials. [bleepingcomputer.com]

How the attack worked (in plain English)

This was not phishing email spam. Instead, attackers compromised routers at the network edge, mainly:

  • MikroTik
  • TP‑Link
  • Some Fortinet and Nethesis firewall models

Once hacked, the attackers:

  1. Changed router DNS settings to point to attacker‑controlled servers
  2. The router then automatically pushed those DNS settings to every connected device via DHCP
  3. When users visited Microsoft login services (e.g., Outlook, Office 365):
    • DNS resolved to the attacker’s server, not Microsoft’s
    • Users were silently redirected to an adversary‑in‑the‑middle (AiTM) proxy
  4. Credentials and OAuth tokens were intercepted during login [bleepingcomputer.com], [microsoft.com]

The only visible warning was often a TLS certificate error, which many users ignore—allowing the attack to succeed without malware or phishing emails. [bleepingcomputer.com]

Scale and impact

At its peak in December 2025, the FrostArmada campaign:

  • Infected ~18,000 routers
  • Impacted organizations in 120+ countries
  • Targeted:
    • Government agencies
    • Law enforcement
    • IT and hosting providers
    • Organizations running their own servers [bleepingcomputer.com]

Microsoft confirmed the activity was external to Microsoft’s own infrastructure, but was used to intercept traffic specifically to Microsoft 365 and Outlook Web services. [microsoft.com]

Why this attack is especially dangerous

This campaign stands out because:

  • No endpoint malware required
  • No phishing emails
  • Bypasses traditional EDR and email security
  • ✅ Works even with MFA (via stolen session tokens)
  • ✅ Exploits routers, which are often unmonitored

As Microsoft noted, compromised SOHO routers provide nation‑state actors with persistent, passive visibility into downstream enterprise networks. [microsoft.com]

Popular posts from this blog

WSUS CVE-2025-59287 Mitigation

-
Image
CVE-2025-59287 is a critical Remote Code Execution (RCE) vulnerability affecting Windows Server Update Services (WSUS) . Here's a detailed breakdown of what it is, how it works, and what you should do about it: Overview Disclosed: October 2025 Patch Tuesday CVSS Score: 9.8 (Critical) Affected Systems: Windows Server 2012 through 2025 (including Server Core installations) Exploitability: Microsoft rates it as “Exploitation More Likely” Technical Details The vulnerability arises from unsafe deserialization of untrusted data in WSUS. Specifically, the GetCookie() endpoint in WSUS processes encrypted AuthorizationCookie objects without proper type validation. The deserialization occurs via .NET BinaryFormatter , which is known to be insecure when handling untrusted input. Attackers can send a crafted SOAP request to WSUS over port 8530 , containing a malicious AuthorizationCookie . The cookie is decrypted using a hardcoded AES key and then deserialized, allow...
Read more

Cloud Infrastructures are Having a Bad Week

-
Image
  Today’s disruptions across Microsoft Azure and Amazon Web Services (AWS) were significant, but they’re not signs of cloud computing’s demise. Instead, they underscore the risks of centralization and the importance of designing systems that can withstand provider-level failures. What happened today? • Microsoft Azure outage: Azure’s Front Door service suffered a major disruption due to a misconfiguration, impacting services like Outlook, Xbox, Microsoft 365, and even third-party platforms like Starbucks and Alaska Airlines. The Azure website states a little more than disruption. "Azure Front Door - Connectivity issues - Observing recovery Starting at approximately 16:00 UTC on 29 October 2025, customers and Microsoft services leveraging Azure Front Door (AFD) may have experienced latencies, timeouts, and errors. We have confirmed that an inadvertent configuration change was the trigger event for this issue. Affected Azure services may have included, but were not limited to: App S...
Read more

CVE-2025-58034 Fortinet Warnings and Mitigation

-
Image
Type: OS Command Injection vulnerability (CWE-78) Affected Product: Fortinet FortiWeb (Web Application Firewall) Affected Versions: 8.0.0 – 8.0.1 7.6.0 – 7.6.5 7.4.0 – 7.4.10 7.2.0 – 7.2.11 7.0.0 – 7.0.11 [nvd.nist.gov] , [cvedetails.com] Description The vulnerability is caused by improper neutralization of special elements used in OS commands . An authenticated attacker can exploit this flaw by sending crafted HTTP requests or CLI commands , allowing them to execute arbitrary code on the underlying system. This can compromise the integrity, confidentiality, and availability of the device. [nvd.nist.gov] , [cvedetails.com] Severity CVSS v3.1 Base Score: 7.2 (High) Vector: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Impact: High on Confidentiality, Integrity, and Availability [cvedetails.com] Exploitation Status Actively Exploited: Yes. Fortinet confirmed expl...
Read more