Russian military intelligence operatives exploited known router vulnerabilities to harvest Microsoft Office authentication tokens from 18,000+ networks without deploying malware. The campaign targeted older Internet routers with unpatched flaws, allowing attackers to intercept credentials at the network perimeter. This approach bypassed endpoint detection systems entirely. Defenders face a critical gap: the attack requires no suspicious process execution or file writes to trigger alerts. Organizations must audit router firmware versions immediately and apply patches for known vulnerabilities. Network segmentation becomes essential to limit token exposure if routers fall under attacker control. The campaign demonstrates Russia's GRU preference for infrastructure-level access that persists across software updates and antivirus deployments. Token harvesting grants attackers legitimate authentication, enabling lateral movement and persistence within compromised organizations without detection signatures. Administrators should enforce multi-factor authentication for Microsoft Office access and monitor for impossible travel patterns in authentication logs. Token refresh policies deserve urgent review. This attack vector bypasses many standard enterprise defenses, making router security hygiene and network monitoring critical for detecting unauthorized office access patterns.