Russian Spies Harvest Office Tokens via Router Flaws

What Happened

A sophisticated espionage campaign tied to Russia's military intelligence apparatus — widely attributed to GRU-affiliated threat actors — has been quietly draining authentication tokens from Microsoft Office users at scale. According to a report published April 7, 2026 by KrebsOnSecurity, attackers exploited known vulnerabilities in aging Internet routers to intercept and harvest authentication tokens across more than 18,000 distinct networks.

What makes this campaign particularly alarming isn't just the scale — it's the method. The attackers deployed no malicious software whatsoever. There were no phishing lures, no malware droppers, no ransomware payloads. Instead, they turned vulnerable routers into silent interception points, siphoning the authentication tokens that Microsoft 365 and Office users rely on to stay logged in. Once an attacker holds a valid session token, they can impersonate that user entirely — no password required, no MFA prompt triggered.

Why Routers? The Logic of Living Off the Edge

The choice of routers as an attack vector is deliberate and increasingly common among nation-state actors. Edge devices — routers, firewalls, VPN concentrators — sit at the perimeter of every network, handling enormous volumes of traffic, and yet they are frequently the least-monitored, least-patched assets in an organization's environment. Unlike endpoints running EDR software or cloud workloads covered by SIEM pipelines, routers often operate in a blind spot.

Older router models are especially vulnerable. Many run firmware that manufacturers no longer update, leaving known CVEs permanently unpatched. In enterprise and mid-market environments alike, hardware refresh cycles for networking infrastructure routinely lag years behind the rest of the IT estate. Attackers exploiting these devices don't need to "get in" to your environment in the traditional sense — they simply position themselves between your users and the internet, reading traffic as it flows past.

Token interception is a natural fit for this approach. As organizations have hardened credential-based attacks through MFA adoption, adversaries have pivoted to session token theft — a technique sometimes called "pass-the-cookie" or adversary-in-the-middle (AiTM) interception. Routers compromised at the network edge provide a privileged vantage point for exactly this kind of passive collection, with no footprint inside the target organization's systems.

This isn't the first time Russian state actors have leveraged router infrastructure at scale. The same playbook — exploit edge devices, intercept credentials or tokens, avoid endpoint detection — has been observed in prior campaigns attributed to Sandworm and APT28. What's changed is the breadth: 18,000 networks is not targeted espionage. It's mass collection.

Implications for Organizations

The implications of this campaign extend well beyond the directly affected networks. Token theft at this scale suggests a broad intelligence-gathering objective rather than a narrowly scoped intrusion. Harvested tokens can be used to access email, SharePoint, Teams conversations, OneDrive files, and any other Microsoft 365 service the user is licensed for — all without triggering the kind of alerts associated with credential stuffing or brute-force attacks.

For organizations in sectors that are typical GRU targets — defense contractors, critical infrastructure operators, government agencies, policy research institutions, and technology companies — this campaign warrants immediate review of network edge security posture. But the 18,000-network scale also suggests that opportunistic collection is in play; smaller organizations should not assume they fall below the threshold of interest.

There is also a supply chain dimension worth considering. Managed service providers, ISPs, and any entity that administers routers on behalf of multiple clients could represent a force multiplier for attackers. Compromising one router in an MSP's fleet could expose token traffic from dozens of downstream customers simultaneously.

What Your Organization Should Do Now

Audit your edge device inventory. Identify every router, firewall, and network appliance in your environment. Flag any device running end-of-life firmware or hardware that has not received a security update in the past 12 months. Prioritize these for immediate patching or replacement.

Apply available firmware updates immediately. The vulnerabilities exploited in this campaign are described as "known flaws" — meaning patches exist. There is no technical barrier to remediation, only an operational one. Treat unpatched edge devices as active liabilities.

Implement Conditional Access policies in Microsoft 365. Microsoft's Conditional Access framework allows organizations to bind session tokens to specific device compliance states, IP ranges, or continuous access evaluation (CAE) signals. These controls significantly reduce the usability of stolen tokens even if interception occurs.

Monitor for anomalous token use. Microsoft Entra ID (formerly Azure AD) sign-in logs capture token issuance and use patterns. Look for tokens being exercised from unexpected geographic locations, IP addresses outside your known ranges, or at unusual hours. Microsoft Sentinel and Defender for Cloud Apps both support detections for AiTM-style token replay.

Segment and encrypt where possible. Network segmentation limits the blast radius of a compromised edge device, while enforcing TLS 1.3 and HSTS across internal and external services raises the cost of passive interception attacks.

The fundamental lesson of this campaign is one Bellator Cyber Guard has emphasized consistently: your perimeter devices are not passive infrastructure — they are high-value targets. Treat them accordingly.