Russia Exploits Router Flaws to Harvest Office 365 Tokens

What Happened

Threat actors linked to Russia's military intelligence apparatus — widely attributed to GRU-affiliated units — have been conducting a large-scale espionage campaign by exploiting known vulnerabilities in aging Internet routers. Rather than deploying traditional malware, the attackers leveraged these router-level footholds to intercept and harvest authentication tokens belonging to Microsoft Office users across more than 18,000 distinct networks. The campaign was detailed by security researchers on April 7, 2026, and has been described as one of the more operationally disciplined token-theft operations observed from a nation-state actor in recent years. Full details were reported by KrebsOnSecurity.

What makes this campaign particularly notable is what the attackers didn't do. There was no custom implant, no ransomware staging, no lateral movement in the traditional sense. The infrastructure itself — compromised routers sitting at the edge of thousands of organizations — became the silent collection apparatus. Tokens were harvested passively as they traversed the network, leaving minimal forensic artifacts on endpoint systems where most defenders focus their detection efforts.

Why This Attack Model Is So Effective

Authentication tokens — the short-lived credentials that modern identity systems like Microsoft Entra ID (formerly Azure AD) issue after a successful login — are the keys to the kingdom in a cloud-first environment. When an attacker possesses a valid token, they bypass passwords entirely. Multi-factor authentication that was satisfied at login time offers no protection against token replay. The attacker simply presents the stolen token to Microsoft's authentication services and gains access as the legitimate user, often without triggering any anomalous login alert because the session appears to originate from a trusted context.

Targeting the router layer is a calculated choice. Routers are frequently running outdated firmware, are rarely monitored with the same rigor as endpoints or servers, and sit in an architecturally privileged position — all traffic passes through them. By compromising a router with a known, unpatched vulnerability, attackers gain a passive sensor that requires no ongoing interaction and generates no endpoint telemetry. Organizations that rely solely on EDR solutions for threat detection have effectively no visibility into this attack surface.

This is not the first time GRU-linked actors have demonstrated a preference for network infrastructure as a pivot point. Operations attributed to Sandworm and APT28 have historically targeted routers, VPN appliances, and firewall devices — a pattern that reflects a deliberate doctrine of operating beneath the detection threshold of enterprise security tooling.

The Broader Threat Landscape

This campaign fits squarely within a documented and escalating trend: nation-state actors, particularly those operating under resource constraints imposed by international sanctions and attribution pressure, are increasingly moving away from noisy malware deployments in favor of "living off the land" and infrastructure abuse techniques. Token theft, session hijacking, and credential relay attacks are harder to detect, harder to attribute, and — critically — harder to remediate because the attacker may have already used the token to establish persistent OAuth application grants or exfiltrate cloud data before the initial compromise is even discovered.

The 18,000-network scale of this operation also signals a shift toward broad, indiscriminate collection rather than narrow, high-value targeting. While the ultimate targets of interest may be a subset of government, defense, or critical infrastructure organizations embedded within those networks, mass token harvesting allows intelligence services to cast a wide net and sort for value later. Small and mid-sized businesses sitting in the supply chains of larger targets are increasingly collateral — and sometimes primary — victims of these campaigns.

What Your Organization Should Do Now

Audit your network edge devices immediately. If your organization is running routers or switches on firmware that has not been updated in the past 12 months, treat that as an active risk. Identify the make, model, and firmware version of every device on your perimeter and cross-reference against publicly known CVEs. If a patch is available and has not been applied, apply it. If a device is end-of-life with no available patches, plan for replacement.

Enable token binding and Continuous Access Evaluation (CAE) in Microsoft 365. Microsoft has implemented CAE as a mechanism to revoke tokens in near-real-time when anomalous conditions are detected. Ensure this feature is enabled across your tenant. Similarly, review Conditional Access policies to enforce IP-based restrictions where feasible, limiting token replay from unexpected geographic regions or network ranges.

Expand detection coverage beyond the endpoint. If your security monitoring relies exclusively on endpoint agents, you are blind to network-layer token interception. Consider deploying network detection and response (NDR) capabilities, reviewing NetFlow data for anomalous egress patterns, and ensuring that router and switch authentication logs are being forwarded to your SIEM.

Review OAuth application grants in your Microsoft 365 tenant. One of the first actions a threat actor takes after successfully replaying a stolen token is to register a persistent OAuth application that survives password resets and token revocation. Audit your tenant for third-party and unrecognized application grants with broad permissions, and revoke anything that cannot be accounted for.

The tradecraft on display in this campaign is not exotic — it is disciplined. The vulnerability being exploited in the routers is known. The tokens being harvested are preventably exposed. The remediation steps exist. The gap, as is so often the case, is execution. Organizations that treat network device hygiene and identity security as maintenance tasks rather than active security controls will continue to find themselves in scope for campaigns exactly like this one.