SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks

Microsoft Threat Intelligence reports that Forest Blizzard, a Russian military-linked threat actor, is exploiting insecure SOHO routers to conduct DNS hijacking and adversary-in-the-middle (AiTM) attacks. Since August 2025, the group, including sub-group Storm-2754, has compromised over 5,000 consumer devices and 200 organizations across government, IT, telecommunications, and energy sectors. By modifying router settings to use actor-controlled DNS resolvers, the actor intercepts TLS connections, specifically targeting Microsoft Outlook on the web. This enables passive reconnaissance and active traffic interception. While no Microsoft assets were compromised, the campaign highlights risks to remote work infrastructure. Mitigation involves securing edge devices, monitoring DNS configurations, and utilizing Microsoft Defender hunting guidance. Organizations must account for unmanaged SOHO devices used by hybrid employees to prevent exposure of cloud access and sensitive data despite secure enterprise environments.

Executive summary Forest Blizzard, a threat actor linked to the Russian military, has been compromising insecure home and small-office internet equipment like routers, then modifying their settings in ways that turn them into part of the actor’s malicious infrastructure. The post SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks appeared first on Microsoft Security Blog .

Microsoft Threat Intelligence reports that Forest Blizzard, a Russian military-linked threat actor, is exploiting insecure SOHO routers to conduct DNS hijacking and adversary-in-the-middle (AiTM) attacks. Since August 2025, the group, including sub-group Storm-2754, has compromised over 5,000 consumer devices and 200 organizations across government, IT, telecommunications, and energy sectors. By modifying router settings to use actor-controlled DNS resolvers, the actor intercepts TLS connections, specifically targeting Microsoft Outlook on the web. This enables passive reconnaissance and active traffic interception. While no Microsoft assets were compromised, the campaign highlights risks to remote work infrastructure. Mitigation involves securing edge devices, monitoring DNS configurations, and utilizing Microsoft Defender hunting guidance. Organizations must account for unmanaged SOHO devices used by hybrid employees to prevent exposure of cloud access and sensitive data despite secure enterprise environments. Executive summary Forest Blizzard, a threat actor linked to the Russian military, has been compromising insecure home and small-office internet equipment like routers, then modifying their settings in ways that turn them into part of the actor’s malicious infrastructure. The post SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks appeared first on Microsoft Security Blog . In this article DNS hijacking attack chain: From compromised devices to AiTM and other follow-on activity Mitigation and protection guidance Microsoft Defender detection and hunting guidance Executive summary Forest Blizzard, a threat actor linked to the Russian military, has been compromising insecure home and small-office internet equipment like routers, then modifying their settings in ways that turn them into part of the actor’s malicious infrastructure. The threat actor then hides behind this legitimate but compromised infrastructure to spy on additional targets or conduct follow-on attacks. Microsoft Threat Intelligence is sharing information on this campaign to increase awareness of the risks associated with insecure home and small-office internet routing devices and give users and organizations tools to mitigate, detect, and hunt for these threats where they might be impacted. Since at least August 2025, the Russian military intelligence actor Forest Blizzard , and its sub-group tracked as Storm-2754, has conducted a large-scale exploitation of vulnerable small office/home office (SOHO) devices to hijack Domain Name System (DNS) requests and facilitate the collection of network traffic. For nation-state actors like Forest Blizzard, DNS hijacking enables persistent, passive visibility and reconnaissance at scale. By compromising edge devices that are upstream of larger targets, threat actors can take advantage of less closely monitored or managed assets to pivot into enterprise environments. Microsoft Threat Intelligence has identified over 200 organizations and 5,000 consumer devices impacted by Forest Blizzard’s malicious DNS infrastructure; telemetry did not indicate compromise of Microsoft-owned assets or services. Forest Blizzard, which primarily collects intelligence in support of Russian government foreign policy initiatives, has also leveraged its DNS hijacking activity to support post-compromise adversary-in-the-middle (AiTM) attacks on Transport Layer Security (TLS) connections against Microsoft Outlook on the web domains. This activity enables the interception of cloud-hosted content, impacting numerous sectors including government, information technology (IT), telecommunications, and energy—all usual targets for this actor. While the number of organizations specifically targeted for TLS AiTM is only a subset of the networks with vulnerable SOHO devices, Microsoft Threat Intelligence assesses that the threat actor’s broad access could enable larger-scale AiTM attacks, which might include active traffic interception. Targeting SOHO devices is not a new tactic, technique, or procedure (TTP) for Russian military intelligence actors, but this is the first time Microsoft has observed Forest Blizzard using DNS hijacking at scale to support AiTM of TLS connections after exploiting edge devices. In this blog, we share our analysis of the TTPs used by Forest Blizzard in this campaign to illustrate how threat actors leverage this attack surface. We’re also outlining mitigation and protection recommendations to reduce exposure from compromised SOHO devices, as well as Microsoft Defender detection and hunting guidance to help defenders identify and investigate related malicious activity. It’s important for organizations to account for unmanaged SOHO devices—particularly those used by remote and hybrid employees—since compromised home and small‑office network infrastructure can expose cloud access and sensitive data even when enterprise environments and cloud services themselves remain secure....