Russian military intelligence units exploited known router vulnerabilities to harvest Microsoft Office authentication tokens from over 18,000 networks. The campaign required no malware deployment. Attackers leveraged unpatched flaws in older internet routers to intercept credentials silently. This approach allowed them to bypass traditional endpoint security and gain persistent access to Office 365 environments across victims' networks.
The token theft grants attackers legitimate authentication credentials. These tokens enable lateral movement and data exfiltration without triggering alerts tied to password-based intrusions. Defenders must prioritize router firmware updates and segment network traffic to isolate authentication flows. Organizations should implement token revocation policies, enforce conditional access rules in Office 365, and monitor for anomalous token usage patterns. The attack demonstrates that perimeter devices remain critical infrastructure for state-sponsored operations. Legacy hardware sitting at network edges represents a persistent blind spot for many defenders.