Home routers vs. cloud defenses: How APT28 pairs mass DNS hijacks with stealth Microsoft 365 token theft
APT28 (Fancy Bear, GRU Unit 26165) has shifted from classic phishing and malware to a hybrid approach that begins on compromised home and SOHO routers and finishes inside Microsoft 365 environments—using DNS hijacking and a cloud-native malware toolkit called “AUTHENTIC ANTICS” to steal OAuth tokens and live cloud content. That contrast—network infrastructure compromise at the edge versus in-cloud credential theft—explains why conventional enterprise protections are being bypassed.
How APT28 changes the attack surface at scale
Since at least August 2025, the group has exploited CVE-2023-50224 to extract credentials from consumer routers—including TP‑Link WR841N and more than 20 other models—and rewrite DHCP/DNS settings so victims’ traffic routes through attacker-controlled servers. The campaign casts a wide net for initial hijacks, then escalates to interactive operations against high-value sectors such as government, telecoms, energy and IT; Ukrainian MikroTik devices show the geographic prioritization seen in public reporting and UK sanctions tied to GRU officers.
The technical chain: DNS hijack → AitM or passive logging → cloud token exfiltration
CVE-2023-50224 lets unauthenticated HTTP requests pull router credentials; once APT28 controls DNS, two distinct espionage modes are possible. Passive logging profiles victim activity; active adversary-in-the-middle (AitM) attacks can impersonate Outlook on the web, sometimes presenting invalid TLS certificates to capture passwords when users proceed despite browser warnings. Microsoft has warned that a hijacked home router can intercept Microsoft 365 sessions even on enterprise-managed devices.
| Stage | Mechanism | Detection signals | Immediate mitigation |
|---|---|---|---|
| Router compromise | Exploit CVE‑2023‑50224, change DNS/DHCP | Unexpected DNS server IPs, remote management enabled | Update firmware; disable remote mgmt; reset to known-good config |
| Network-level espionage | Passive DNS logging or AitM impersonation of webmail | TLS errors, unusual certs, spikes in DNS queries | Block malicious DNS; alert users; force MFA reauth |
| Cloud-native token theft | AUTHENTIC ANTICS uses DLL sideloading, process hollowing in Outlook; exfil via “ghost emails” through Microsoft API | Unusual API mail sends, missing sent-folder entries, anomalous OAuth grants | Enforce phishing‑resistant MFA; monitor OAuth consent and token usage |
Why many cloud controls stop short—and who is exposed
Conditional Access, device compliance checks, and endpoint protections assume an enterprise network boundary or that MFA stops credential theft; those assumptions fail when DNS is hijacked on a remote worker’s router and OAuth tokens are captured from inside a legitimate browser or Outlook process. Microsoft Defender for Endpoint and Entra ID Protection can surface anomalous sign-ins, but detection depends on telemetry that is often decoupled from home/SOHO router events unless teams explicitly monitor DNS and unusual API activity.
High-value targets face prioritized AitM follow-ups after mass casting, and the campaign’s prioritization has been observable in real incidents against government and telecom sectors. The UK NCSC and Microsoft recommend firmware updates and disabling remote management for a reason: these are practical, near-term controls that reduce the initial foothold attackers need to reach cloud tokens.
Operational checkpoints security teams should adopt now
Treat home and SOHO routers as first-class elements of your hybrid-security posture. At a minimum: inventory router models in your workforce, require firmware updates for vulnerable models (including TP‑Link WR841N variants), disable remote management, and roll out phishing-resistant MFA (passkeys/Windows Hello/FIDO2). Enforce Conditional Access with continuous access evaluation in Microsoft Entra and set mail retention/audit windows above 90 days to catch ghost-email exfiltration traces.
Detection knobs to add: DNS server change alerts from endpoint telemetry, EDR rules for unusual DLL loads into Outlook, monitoring for Microsoft Graph/API sends that lack corresponding Sent items, and OAuth grant anomaly detection. The next formal checkpoint for defenders is operational: can your SOC correlate a router DNS change with an anomalous OAuth token or API mail send within minutes rather than weeks?
Short Q&A
Q: How quickly should organizations act? A: Immediately on public firmware fixes; treat CVE‑2023‑50224 patching as urgent for affected models and push user guidance the same day a fix is applied.
Q: Can Conditional Access alone stop this? A: No—Conditional Access helps but does not prevent token theft performed after a session is captured; combine CA with phishing‑resistant MFA and token-use anomaly detection.
Q: What single sign will likely indicate compromise? A: Correlated indicators—an unexpected DNS server configured on multiple endpoints tied to anomalous OAuth/API activity or ghost email sends—should be treated as high-priority incident signals.
