Hackers are turning home routers into tools to spy on Microsoft 365 users

Alfonso Maruccia

Posts: 2,600   +978
Staff
In a nutshell: Targeting insecure routers in personal or small office / home office environments is nothing new, with several hacking groups now exploiting this method to carry out a range of malicious activities. According to Microsoft, a recently discovered attack goes beyond simple device exploitation, extending to its widely used cloud services.

A notorious team of Russian spies is once again targeting internet-facing devices to advance their unlawful activities. Microsoft warned that Forest Blizzard, a Kremlin-sponsored hacking group also known as Storm-2754 or Fancy Bear, has spent the past few months attempting to compromise thousands of personal and small office / home office routers. Once they gained control of an insecure device, Forest Blizzard operatives pursued their broader malicious objectives.

According to a recent report from Microsoft's Threat Intelligence team, this cybercrime campaign has been active since at least August 2025. Forest Blizzard carried out large-scale attacks on thousands of SOHO and personal routers, affecting more than 200 organizations and 5,000 consumer devices. The campaign's primary tactic involved malicious changes to the routers' DNS settings, giving the hackers a persistent foothold and the ability to intercept DNS traffic.

Microsoft analysts explained that Forest Blizzard primarily used the hijacked routers to redirect traffic through its malicious DNS infrastructure. In addition, the hackers leveraged the recovered intelligence to carry out more complex man-in-the-middle attacks – referred to by Microsoft as adversary-in-the-middle attacks – against Microsoft 365 domains.

The malicious DNS servers could present invalid TLS certificates, which unsuspecting victims often dismissed as common web communication errors. Once in control, the hackers were able to fully intercept plaintext web traffic – because no valid TLS certificate was present to encrypt it – and search for potentially valuable Microsoft 365 data.

A successful MiTM/AiTM attack could provide Forest Blizzard with sensitive account information, compromising major organizations and further informing its malicious campaigns. The Kremlin-backed hackers could also exploit this account data to deploy dangerous malware or carry out disruptive denial-of-service attacks.

Microsoft's report provides a detailed list of mitigation procedures for both enterprise organizations and end users. Windows now includes several endpoint measures designed to curb DNS hijacking attempts, including Zero Trust DNS and specific protections within Microsoft Defender.

Redmond's anti-malware engine is expected to detect Forest Blizzard / Storm-2754 activities and alert users accordingly. Enterprise organizations can also enforce Entra ID Protection and multi-factor authentication to minimize risk. Finally, companies should avoid using – or allowing – home routers in corporate environments. Hybrid or remote work setups should always operate through a centralized identity management platform.

Permalink to story:

 
CIA and MOSSAD have tools that can compromise any network with fake IP masking. TRUST microSLOP to know it's Russia LMAO.

 
You know, when the news about how the US was going to crack down on foreign-made routers I wasn't too sure about it. I saw it as a power grab but with this now happening, I'm not so sure anymore. Maybe they were right.
 
You know, when the news about how the US was going to crack down on foreign-made routers I wasn't too sure about it. I saw it as a power grab but with this now happening, I'm not so sure anymore. Maybe they were right.
It's a disaster of a policy. No new security updates after March 1, 2027. It's a gift to hackers everywhere. Most American's aren't going to know about or upgrade their router even if they know (assuming any compatible with the policy are available by then). https://www.pcmag.com/news/fccs-rou...-an-expiration-date-on-home-internet-security
 
It's a disaster of a policy. No new security updates after March 1, 2027. It's a gift to hackers everywhere. Most American's aren't going to know about or upgrade their router even if they know (assuming any compatible with the policy are available by then). https://www.pcmag.com/news/fccs-rou...-an-expiration-date-on-home-internet-security

This is how politicians behave when they want their palms greased with some extra cash. Catastrophize a valid concern and exploit it by creating a brand new certification system.

This forces tech companies to cozy up and play ball to survive. Sounds like corruption to me, but these days I believe they call it winning, what with the language and the ethics being so flexible now.

I was raised to be a good person, which by contrast seems like a handicap now.
 
I don't quite understand. Your home router has the option to set a DNS server, but few people use it. It's usually done through Windows settings, and you can also specify the desired server in your browser. In addition, old routers do not support DoH, etc.
Of course, it is possible in an office router, especially if the default login/password settings remain.
 
Last edited:
This is how politicians behave when they want their palms greased with some extra cash. Catastrophize a valid concern and exploit it by creating a brand new certification system.

This forces tech companies to cozy up and play ball to survive. Sounds like corruption to me, but these days I believe they call it winning, what with the language and the ethics being so flexible now.

I was raised to be a good person, which by contrast seems like a handicap now.
It's pure corruption and money laundering. They aren't banning foreign made routers out of concern as the NSA and CIA have access to their source code (enjoy Obama's expansion of Bush' domestic spying), it's purely about bribes.
 
"A notorious team of Russian spies is once again targeting internet-facing devices to advance their unlawful activities. Microsoft warned that Forest Blizzard, a Kremlin-sponsored hacking group also known as Storm-2754 or Fancy Bear, has spent the past few months attempting to compromise thousands of personal and small office / home office routers."

Bullcrap...!
 
You know, when the news about how the US was going to crack down on foreign-made routers I wasn't too sure about it. I saw it as a power grab but with this now happening, I'm not so sure anymore. Maybe they were right.
Are there actually any non foreign-made routers on the market? Even if they're sold by a U.S. company, aren't they all assembled oversees and don't all the parts come from China?
 
I wish there was more information about how all this can be blocked so users can set their preferences accordingly. For example, as far as I know my DNS server is provided by my ISP, not by me. So I don't see how to block that. Also, I have my router set to block any connection not listed in my router, which is not also a modem. The modem is a separate device with a rudimentary firewall. I've also set my own passwords. I think all this should protect me from foreign agents trying to get into my home network. Am I wrong?
 
Back