{"id":7744,"date":"2026-04-08T10:50:18","date_gmt":"2026-04-08T10:50:18","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7744"},"modified":"2026-04-08T10:50:18","modified_gmt":"2026-04-08T10:50:18","slug":"forest-blizzard-leverages-router-compromises-to-launch-aitm-attacks-target-outlook-sessions","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7744","title":{"rendered":"Forest Blizzard leverages router compromises to launch AiTM attacks, target Outlook sessions"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Russian threat actor Forest Blizzard has been exploiting unsecured home and small-office internet equipment, such as routers, to redirect traffic through attacker-controlled DNS servers.<\/p>\n

The group has leveraged this DNS hijacking activity to support post-compromise adversary-in-the-middle (AiTM) attacks on Transport Layer Security (TLS) connections, targeting Microsoft Outlook on the web domains, according to a Microsoft Threat Intelligence report<\/a>. By compromising upstream edge devices, the attackers are able to exploit less monitored networks and use them as a pathway to access enterprise environments.<\/p>\n

More than 200 organizations and over 5,000 consumer devices have already been impacted by Forest Blizzard\u2019s malicious DNS infrastructure, which Microsoft says is primarily used to collect intelligence in support of the Russian government\u2019s<\/a> foreign policy objectives. The activity enables interception of cloud-hosted content, with government, IT, telecommunications, and energy sectors among the primary targets.<\/p>\n

While the number of organizations specifically targeted for TLS AiTM is only a subset of the networks with vulnerable SOHO devices, the threat actor\u2019s broad access could enable larger-scale AiTM attacks, which might include active traffic interception, Microsoft said in the blog post.<\/p>\n

Hijacked routers, stolen sessions<\/h2>\n

Forest Blizzard, also called APT28<\/a> by the UK\u2019s National Cyber Security Center, broke into home and small-office routers and changed their network settings so that internet traffic was sent through their own DNS servers. For this, the threat actor almost certainly used the dnsmasq utility to perform DNS resolution and provide responses while listening to port 53 for DNS queries, Microsoft Threat Intelligence noted.<\/p>\n

Most of the time, attackers quietly monitored traffic without disrupting connections. But for specific targets, they spoofed DNS responses and actively redirected users to the fake infrastructure they controlled. These included a subset of domains associated with Microsoft Outlook on the web. Separate AiTM<\/a> activity targeting non-Microsoft hosted servers in at least three government organizations in Africa was also identified.<\/p>\n

\u201cThe actor-controlled malicious infrastructure would then present an invalid TLS certificate to the victim, spoofing the legitimate Microsoft service. If the compromised user ignored warnings about the invalid TLS certificate, the threat actor could then actively intercept the underlying plaintext traffic \u2014 potentially including emails and other customer content \u2014 within the TLS connection,\u201d claimed the blog post.<\/p>\n

Invisible path to enterprise systems<\/h2>\n

This attack poses a serious risk to enterprises because, instead of beginning at the corporate perimeter, it starts from employee environments that are often less secure. Threat actors target vulnerable home or small office routers, which often have weak default passwords or unpatched software.<\/p>\n

The shift to remote work has dramatically expanded the corporate attack surface, allowing attackers to create a pathway into enterprise accounts without directly breaching corporate systems.<\/p>\n

\u201cThe real-world impact is profound. Attackers can intercept credentials, reroute traffic to malicious sites, or inject malware, all without ever breaching the corporate firewall. This can lead to data breaches, financial theft, or even ransomware incidents originating from an employee\u2019s living room,\u201d said Apeksha Kaushik<\/a>, senior principal analyst at Gartner. \u201cMoreover, the lack of visibility and control over home networks means these attacks can persist<\/p>\n

undetected, undermining even the most robust corporate security programs. In essence, every unsecured home network becomes a potential backdoor into the enterprise, amplifying risk and complicating incident response.\u201d<\/p>\n

Defending beyond corporate networks<\/h2>\n

For CISOs, this broadens the focus area beyond merely securing corporate networks and even addressing risks in employee home environments and unmanaged devices.<\/p>\n

\u201cFirst, stop using passwords. Robust two-step verification systems that do not allow for phishing attacks, especially hardware tokens, could prevent most of these attacks despite credentials being obtained,\u201d said Devroop Dhar<\/a>, CEO and co-founder at Primus Partners.<\/p>\n

Dhar added that CISOs should look at controlling the behaviour of identities. For instance, if there is an unusual location or device involved in the login procedure, additional warnings or checks need to be generated.<\/p>\n

\u201cEnforce secure DNS solutions by utilizing corporate VPNs with split tunneling disabled or enforcing DNS over HTTPS to ensure all DNS queries bypass the local home router and go directly to trusted corporate servers,\u201d suggested Amit Jaju, global partner at Ankura Consulting. \u201cAlso, implement strict conditional access policies that require devices to be enrolled in mobile device management and marked as compliant before granting access to corporate cloud resources.\u201d<\/p>\n

Experts also warn that even after taking all precautions and defence measures, educating employees should be the utmost priority, as they must be trained to recognize suspicious behaviour during login procedures.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Russian threat actor Forest Blizzard has been exploiting unsecured home and small-office internet equipment, such as routers, to redirect traffic through attacker-controlled DNS servers. The group has leveraged this DNS hijacking activity to support post-compromise adversary-in-the-middle (AiTM) attacks on Transport Layer Security (TLS) connections, targeting Microsoft Outlook on the web domains, according to a Microsoft […]<\/p>\n","protected":false},"author":0,"featured_media":7745,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7744","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7744"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7744"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7744\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7745"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7744"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7744"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7744"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}