Russia Hacked Routers to Steal Microsoft Office Tokens
State-backed Russian hackers exploited known vulnerabilities in older Internet routers to harvest Microsoft Office authentication tokens from users on over 18,000 networks. This campaign did not involve deploying malware or malicious code, instead relying on router flaws to intercept tokens. The activity enables unauthorized access to Microsoft Office accounts by capturing authentication credentials in transit. The threat is assessed as low severity due to the reliance on older router vulnerabilities and the absence of active malware deployment. No specific patch information or vendor advisories are provided in the available data.
AI Analysis
Technical Summary
Russian military intelligence-linked hackers leveraged known security flaws in outdated Internet routers to mass-harvest Microsoft Office authentication tokens. By exploiting these router vulnerabilities, the attackers intercepted tokens from users across more than 18,000 networks without installing malware. This approach allowed stealthy credential theft facilitating unauthorized access to Microsoft Office services. The attack vector centers on router weaknesses rather than direct compromise of Microsoft infrastructure or endpoint devices.
Potential Impact
The impact involves unauthorized access to Microsoft Office accounts through stolen authentication tokens, potentially leading to data exposure or account misuse. However, the exploitation depends on vulnerable older routers, limiting the scope to networks still using such devices. There is no indication of malware infection or broader system compromise. The campaign affected a significant number of networks but is constrained by the prerequisite of router vulnerabilities.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should ensure that Internet routers are updated with the latest firmware to remediate known vulnerabilities. Replacing outdated routers and implementing network segmentation can reduce exposure. Additionally, enabling multi-factor authentication on Microsoft Office accounts can mitigate risks from stolen tokens. Since no vendor advisory or official fix details are provided, monitoring for updates from router manufacturers and Microsoft is recommended.
Russia Hacked Routers to Steal Microsoft Office Tokens
Description
State-backed Russian hackers exploited known vulnerabilities in older Internet routers to harvest Microsoft Office authentication tokens from users on over 18,000 networks. This campaign did not involve deploying malware or malicious code, instead relying on router flaws to intercept tokens. The activity enables unauthorized access to Microsoft Office accounts by capturing authentication credentials in transit. The threat is assessed as low severity due to the reliance on older router vulnerabilities and the absence of active malware deployment. No specific patch information or vendor advisories are provided in the available data.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Russian military intelligence-linked hackers leveraged known security flaws in outdated Internet routers to mass-harvest Microsoft Office authentication tokens. By exploiting these router vulnerabilities, the attackers intercepted tokens from users across more than 18,000 networks without installing malware. This approach allowed stealthy credential theft facilitating unauthorized access to Microsoft Office services. The attack vector centers on router weaknesses rather than direct compromise of Microsoft infrastructure or endpoint devices.
Potential Impact
The impact involves unauthorized access to Microsoft Office accounts through stolen authentication tokens, potentially leading to data exposure or account misuse. However, the exploitation depends on vulnerable older routers, limiting the scope to networks still using such devices. There is no indication of malware infection or broader system compromise. The campaign affected a significant number of networks but is constrained by the prerequisite of router vulnerabilities.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Organizations should ensure that Internet routers are updated with the latest firmware to remediate known vulnerabilities. Replacing outdated routers and implementing network segmentation can reduce exposure. Additionally, enabling multi-factor authentication on Microsoft Office accounts can mitigate risks from stolen tokens. Since no vendor advisory or official fix details are provided, monitoring for updates from router manufacturers and Microsoft is recommended.
Technical Details
- Article Source
- {"url":"https://krebsonsecurity.com/2026/04/russia-hacked-routers-to-steal-microsoft-office-tokens/","fetched":true,"fetchedAt":"2026-05-26T19:40:54.330Z","wordCount":2694}
Threat ID: 6a15f7466b9ae66727f4dbd7
Added to database: 5/26/2026, 7:40:54 PM
Last enriched: 5/26/2026, 7:42:21 PM
Last updated: 5/26/2026, 11:04:44 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.