Russia Harvests Microsoft Office Tokens via Routers

What Happened

Security researchers and government officials confirmed in early April 2026 that hackers tied to Russia's military intelligence apparatus — commonly tracked as APT28 or Fancy Bear — conducted a large-scale espionage campaign targeting Microsoft Office authentication tokens. The attack vector wasn't a zero-day in Office itself. It was your router.

By exploiting well-documented vulnerabilities in older, unpatched internet routers, the threat actors positioned themselves between users and Microsoft's authentication servers. From that vantage point, they silently intercepted and harvested OAuth tokens — the digital credentials your browser or app uses to prove you're already logged in — without ever installing malware on a single endpoint. The campaign swept across more than 18,000 networks before being publicly disclosed. Brian Krebs first reported the details on April 7, 2026.

Why This Attack Is Particularly Dangerous

Most organizations defend the front door — they enforce strong passwords, deploy endpoint detection tools, and train staff to spot phishing emails. This attack walked in through the garage. By compromising the router, the attackers never touched the target's computers or servers. There was no malicious attachment, no suspicious login from an unusual country, and no malware signature for an antivirus engine to catch.

Authentication tokens are the keys to the kingdom in a modern Microsoft 365 environment. Once an attacker holds a valid token, they can access email, SharePoint files, Teams conversations, and OneDrive documents for as long as that token remains valid — often hours or days. Conditional access policies that check for a known device or location may not flag token reuse if the attacker routes traffic carefully. Traditional multi-factor authentication, while valuable, does not protect a session after a token has already been issued and stolen.

For healthcare practices operating under HIPAA, tax professionals handling client financial records, and small businesses relying on Microsoft 365 as their primary productivity and communication platform, the exposure here is significant. A stolen token grants read and write access to exactly the kind of sensitive data that regulators, clients, and cyber liability insurers care most about.

Who Is Most at Risk

This campaign targeted networks broadly, not specific industries, which means the risk is widely distributed. That said, certain profiles are more exposed than others. Small and mid-sized businesses are frequently running consumer-grade or aging business routers that manufacturers quietly stopped patching years ago. Healthcare clinics, dental offices, CPA firms, and legal practices that rely on Microsoft 365 for daily operations — and store regulated data there — face both the direct breach risk and the downstream compliance exposure if that data is accessed without authorization.

Remote workers connecting through home routers are equally affected. If your staff accesses Microsoft 365 from home networks built around an ISP-provided router from 2020 or earlier, those devices may carry the same unpatched vulnerabilities exploited in this campaign.

Defensive Actions to Take Now

Audit and update your routers immediately. Check the manufacturer and model of every router on your network — including those used by remote employees if your IT policy covers home office equipment. Visit the manufacturer's support page, confirm whether the device is still receiving firmware updates, and apply any available patches now. If the device is end-of-life, replace it. This is not optional hygiene; it is the direct attack surface used in this campaign.

Enforce Continuous Access Evaluation and short token lifetimes in Microsoft 365. Microsoft's Conditional Access policies allow administrators to reduce token lifetime and require re-authentication under suspicious conditions. If your Microsoft 365 tenant is not already configured with Conditional Access, this incident is a clear reason to prioritize that work. Consult your IT provider or managed security partner about enabling Continuous Access Evaluation (CAE), which allows Microsoft to revoke tokens in near-real time when anomalies are detected.

Review Microsoft 365 sign-in logs for anomalous token activity. In the Azure AD or Entra ID portal, pull sign-in logs filtered by token refresh events and look for sessions originating from unexpected IP addresses or geographic locations. Unusual access patterns — especially read activity against mailboxes or SharePoint during off-hours — warrant immediate investigation.

Segment and monitor your network perimeter. Routers that sit on the edge of your network should not have administrative interfaces exposed to the internet. Disable remote management features unless actively needed, change default admin credentials, and if your router supports logging, ensure those logs are being reviewed or forwarded to a monitoring system.

Consider hardware security keys for high-value accounts. FIDO2 hardware tokens — such as a YubiKey — bind authentication to a physical device in a way that makes token interception far less useful to an attacker. For executives, finance staff, HR personnel, and anyone with administrative privileges in Microsoft 365, hardware MFA is worth the modest cost.

The Broader Pattern

This campaign is a reminder that nation-state actors have shifted significant attention toward network infrastructure as a persistent, low-noise access mechanism. Routers, firewalls, and VPN appliances don't run traditional endpoint security software, they rarely generate alerts that reach a human reviewer, and many organizations treat them as set-and-forget infrastructure. That assumption is exactly what this campaign exploited at scale. Securing the edge of your network is no longer a task you can defer.