Russian military intelligence units exploited known vulnerabilities in legacy internet routers to harvest Microsoft Office authentication tokens from over 18,000 networks. The operation required no malware deployment. Attackers intercepted tokens by positioning themselves on compromised routers, allowing them to intercept legitimate user credentials and gain unauthorized access to Office environments.
The campaign demonstrates how state-sponsored actors prioritize router compromises as a vector for mass token theft. Legacy router firmware typically lacks security patches for known CVEs, making them attractive persistence points. Once positioned, attackers passively capture authentication traffic without triggering endpoint detection systems.
Defenders should prioritize immediate router inventory assessment and firmware updates. Organizations running end-of-life router models face elevated risk. Implement token binding and conditional access policies to limit token validity to specific devices and IP ranges. Monitor for anomalous Office authentication patterns from unexpected network locations. Consider deprecating basic authentication in favor of modern protocols that resist token interception.
The intrusion vector bypasses traditional malware defenses entirely. Organizations that focused detection solely on endpoint threats missed this compromise completely. Network perimeter hardening and router security now represent critical defensive gaps.