Authorities Shut Down APT28’s Router‑DNS Hijack That Stole Microsoft 365 Logins

DNS Hijacking Campaign Targets Microsoft 365 Logins via SOHO Routers

An international operation, led by law enforcement and supported by private sector partners, has disrupted a sophisticated DNS hijacking campaign linked to a Russian-linked threat group. The operation, known in civilian security circles as FrostArmada, focused on hijacking traffic from home and small-office routers to siphon Microsoft account credentials and OAuth tokens as users attempted to reach Microsoft 365 services.

The attackers are widely associated with a cluster of groups tracked under various names, including Fancy Bear and Sofacy, and researchers tied the activity to a long-running unit within Russia’s military intelligence apparatus. In FrostArmada’s reach, the compromise extended to a large number of internet-exposed devices worldwide, with infected endpoints found in government-adjacent networks, IT providers, hosting outfits, and organizations operating their own servers. The scale reached into dozens of countries, reflecting a broad and opportunistic approach to credential harvesting.

How the operation unfolded is a study in the misuse of trusted home networking devices. After gaining footholds on devices such as MikroTik and TP-Link routers, the attackers altered the devices’ DNS settings. Those changes redirected traffic to attacker-controlled DNS resolvers hosted on virtual servers. Once the DNS configuration changed, the compromised routers began pushing the new settings to connected devices via DHCP, effectively turning internal networks into conduits for the attackers’ infrastructure.

With traffic redirected, authentication-related domains—those associated with Microsoft services—became targets. When users attempted to log in, their requests would be answered with the attacker’s IP address instead of the legitimate Microsoft endpoint. The outcome was an adversary-in-the-middle position that enabled real-time interception of authentication flows and the collection of credentials and tokens as they traversed the network. In practice, the only obvious warning for many users would be an invalid TLS certificate alert, a byproduct of the proxying approach rather than a normal security notice.

Security researchers characterized the FrostArmada operation as a two-pronged effort. One branch focused on expanding access by compromising more devices and growing a botnet, while a second stream handled the more targeted credential collection and interception work. This bifurcation allowed the group to scale its reach while maintaining a more discreet focal point for token harvesting.

MAP OF ACTIVITY AND TARGETS

Analysts noted that the campaign appeared to intensify after a UK National Cyber Security Centre report in mid-2025 described related techniques used against Microsoft account credentials. Microsoft itself confirmed APT28’s involvement in AiTM-style attacks against domains connected to the Microsoft 365 ecosystem, including subdomains tied to Outlook on the web, and observed related activity on servers belonging to several government entities in Africa that were not hosted on Microsoft infrastructure.

Defensive researchers also highlighted that the attackers reached on-premises email servers and a spectrum of government organizations across regions including North Africa, Central America, and Southeast Asia. There were indications of at least one European country’s national identity platform being used in the broader operation, suggesting an extended footprint that exploited both consumer-grade and enterprise environments.

Public security agencies in the United Kingdom and elsewhere published assessments indicating that DNS hijacking in this campaign appears to have been opportunistic in nature—intended to build a large pool of potential targets, with the attackers filtering the subset they considered most valuable for subsequent exploitation. In the wake of the takedown, researchers published a concise set of indicators of compromise (IoCs) tied to the attacker-controlled VPS infrastructure that supported the DNS redirection and midstream collection.

The incident underscores a persistent risk posed by exposed routers and edge devices. While the attackers leveraged a “break and inspect” proxy approach to capture data, defenders have emphasized several protections in their public guidance. Despite the ongoing battle between threat actors and defenders, FrostArmada’s takedown marks a significant step in disrupting a campaign that sought to siphon access to widely used collaboration and identity platforms.

The broader takeaway is clear: home and small-office networks—often overlooked in security planning—can become powerful amplifiers for large-scale credential theft. As researchers continue to catalog IoCs and monitor evolving threat tactics, the collaborative efforts between law enforcement, private security teams, and public institutions remain crucial to identifying, tracking, and eventually neutralizing these campaigns before they can deliver lasting damage to millions of users.