John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Your MFA didn’t matter. Not even a little.
APT28, Russia’s GRU hackers, ran a 14-month campaign that stole Microsoft 365 tokens from over 200 organizations. They didn’t phish anyone. They didn’t drop malware. They just changed the DNS settings on your home router and waited for you to log in normally.
The group compromised 18,000+ SOHO routers (mostly MikroTik and TP-Link) across 120 countries. Modified DHCP DNS settings pointed downstream devices to attacker-controlled servers. When someone authenticated to Microsoft 365, everything looked fine. MFA prompt? Completed. Password? Correct. But the DNS redirect sent the browser through an adversary-in-the-middle server that grabbed the OAuth token after authentication finished.
Token already minted. Token already stolen. Second factor? Completely beside the point.
It ran for 14 months before anyone caught it. Why would they? Nobody checks the DNS config on their home router. The UK’s NCSC called it “opportunistic in nature,” with APT28 casting a wide net and filtering for intelligence targets. Government agencies. Critical infrastructure operators. National identity platforms.
The FBI did something rare here. Court-authorized remote remediation of privately owned devices. They reached into compromised routers, removed the DNS modifications, and forced them back to legitimate resolvers. That’s only happened a handful of times before, and both previous cases were also Russian operations targeting network equipment.
If your org has remote workers (so, everyone), their home routers are part of your attack surface now. Enforce DNSSEC. Push firmware updates. Monitor Entra ID logs for token replay from mismatched geolocations. Because APT28 didn’t need your password or your second factor. They just needed your router to be exactly as neglected as it already was.
See the full technical breakdown, FBI disruption details, and mitigation steps