← CIO Briefings · High Impact ACTION REQUIRED

Russia's GRU Hijacked 18,000 Home Routers to Harvest Microsoft 365 Login Tokens

Russia's military intelligence service operated an 18,000-router network to silently intercept Microsoft 365 authentication tokens from businesses and government agencies across 120 countries. US authorities dismantled US-based infrastructure on April 7 2026, but the campaign continues globally. Organisations with remote workers using home or small-office internet connections should assume Microsoft 365 accounts may have been silently monitored and take immediate steps to invalidate authentication tokens and harden access controls.

4 min read
#DORA#NIS2#GDPR

What Happened

Russia’s GRU (military intelligence, Unit 26165 — known publicly as APT28 or Fancy Bear) ran a covert programme using compromised home and small-office internet routers as interception points. When a user connected to Microsoft 365 through one of these compromised routers, the router quietly intercepted the digital login token issued after the user completed their sign-in — including after multi-factor authentication.

Those intercepted tokens gave GRU operatives ongoing access to the victim’s Microsoft 365 email, Teams conversations, SharePoint files, and other connected services without ever needing the user’s password. The network reached 18,000 compromised routers in 120 countries at its peak in late 2025.

The US Department of Justice executed Operation Masquerade on April 7 2026, removing GRU software from US routers. The campaign continues operating outside US borders.

Business Impact

The interception happened at the network layer — between the employee’s device and Microsoft’s infrastructure. This means it produced no alerts on the employee’s laptop, no anomalous sign-in warnings in Microsoft 365, and no flags in most corporate security monitoring systems. Affected organisations may have had email, sensitive documents, and business communications silently exfiltrated for months without any indication in their security logs.

Targeted organisations included government agencies, financial institutions, technology companies, and critical infrastructure operators. The attack was designed specifically for intelligence collection from high-value targets — not opportunistic criminal activity.

The use of an employee’s home router as the interception point means any Microsoft 365 access from home or a small branch office over the past 12–18 months is potentially affected.

Regulatory Implications

Organisations subject to NIS2 or DORA that have reason to believe their systems were compromised may have incident reporting obligations — NIS2 requires early warning to national authorities within 24 hours of awareness of a significant incident, with full notification within 72 hours. GDPR Article 33 applies if personal data was exfiltrated. Organisations in regulated sectors should consult legal counsel before concluding that no notification obligation arises.

Board-Ready Summary

  • Russia’s military intelligence used compromised home routers to silently steal valid Microsoft 365 login credentials from organisations across 120 countries, bypassing multi-factor authentication protection.
  • Affected organisations may have had email, Teams messages, and internal documents accessed without detection for months; the attack produced no standard security alerts.
  • The recommended immediate action is to force all Microsoft 365 users to re-authenticate, invalidating any tokens that may have been intercepted, and to require that remote Microsoft 365 access uses corporate VPN or managed-device Conditional Access policies.

  1. Immediate (0–24 hours): Force a global Microsoft 365 session revocation using Entra ID — in the Microsoft 365 Admin Centre, use “Revoke All User Sessions” or run Revoke-AzureADUserAllRefreshToken across the tenant. This invalidates all existing tokens and forces re-authentication.

  2. This week: Implement or tighten Conditional Access policies to require that Microsoft 365 sign-ins come from either a corporate-managed device or a verified corporate network/VPN. Disable legacy authentication protocols (SMTP AUTH, IMAP, POP3) that do not support modern token-based authentication.

  3. This week: Audit the Microsoft 365 Unified Audit Log for the past six months for anomalous access patterns — particularly mail access from unexpected locations, unusual application consents, and access at unusual hours consistent with a foreign time zone.

  4. This month: Require employees to access Microsoft 365 from home through a corporate VPN or zero-trust network access (ZTNA) solution, ensuring DNS resolution happens through a controlled resolver rather than a potentially compromised home router.

  5. Ongoing: Implement hardware-backed token binding for Microsoft 365 where available; review the inventory of unmanaged endpoints with Microsoft 365 access and determine whether each requires managed-device enrolment.