Authorities Disrupt Router DNS Hijacks Used to Steal Microsoft 365 Logins

The FrostArmada episode underscores how low‑cost SOHO routers have become high‑value targets for nation‑state actors. By exploiting default credentials and unpatched firmware, APT28 turned ordinary home and small‑office devices into a global botnet capable of man‑in‑the‑middle attacks on Microsoft 365 traffic. This technique bypasses traditional perimeter defenses because the compromise occurs at the DNS layer, silently rerouting authentication requests to attacker‑controlled servers. The scale—18,000 devices in 120 nations—demonstrates the attack surface exposed by the proliferation of unmanaged networking gear in both public and private sectors.

Public‑private collaboration proved decisive in halting the campaign. Microsoft’s threat‑intel teams, Lumen’s Black Lotus Labs, and the FBI combined forensic data, IoC feeds, and legal authority to issue a coordinated DNS reset across affected routers. The operation not only removed the malicious resolvers but also gathered evidence for future prosecutions, illustrating a model for rapid response to transnational cyber threats. Such joint actions are increasingly essential as adversaries leverage supply‑chain vulnerabilities and cloud‑based command‑and‑control infrastructures.

For organizations, the incident is a wake‑up call to harden network edge devices. Best practices now include regular firmware updates, decommissioning end‑of‑life hardware, enforcing strict firewall rules, and monitoring DNS traffic for anomalies. Deploying certificate pinning and mobile device management can further mitigate credential interception. As attackers continue to weaponize DNS hijacking, a proactive, layered security posture will be critical to safeguarding enterprise identities and maintaining trust in cloud services.