SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks

Russian military intelligence actor Forest Blizzard (linked to GRU) has been conducting large-scale compromise of SOHO routers since August 2025, turning vulnerable home and office devices into malicious DNS infrastructure. The actor modified router settings to redirect DNS requests to actor-controlled servers, enabling passive reconnaissance and traffic collection. Microsoft identified over 200 organizations and 5,000 consumer devices impacted. Forest Blizzard leveraged this access to conduct adversary-in-the-middle attacks on TLS connections targeting Microsoft Outlook on the web, intercepting cloud-hosted content across government, IT, telecommunications, and energy sectors. While no Microsoft services were compromised, the broad access could enable larger-scale traffic interception. Organizations should audit unmanaged SOHO devices, especially those used by remote workers, as compromised home infrastructure can expose cloud access and sensitive data even when enterprise environments remain secure.

Executive summary Forest Blizzard, a threat actor linked to the Russian military, has been compromising insecure home and small-office internet equipment like routers, then modifying their settings in ways that turn them into part of the actor’s malicious infrastructure. The post SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks appeared first on Microsoft Security Blog .

Russian military intelligence actor Forest Blizzard (linked to GRU) has been conducting large-scale compromise of SOHO routers since August 2025, turning vulnerable home and office devices into malicious DNS infrastructure. The actor modified router settings to redirect DNS requests to actor-controlled servers, enabling passive reconnaissance and traffic collection. Microsoft identified over 200 organizations and 5,000 consumer devices impacted. Forest Blizzard leveraged this access to conduct adversary-in-the-middle attacks on TLS connections targeting Microsoft Outlook on the web, intercepting cloud-hosted content across government, IT, telecommunications, and energy sectors. While no Microsoft services were compromised, the broad access could enable larger-scale traffic interception. Organizations should audit unmanaged SOHO devices, especially those used by remote workers, as compromised home infrastructure can expose cloud access and sensitive data even when enterprise environments remain secure. Executive summary Forest Blizzard, a threat actor linked to the Russian military, has been compromising insecure home and small-office internet equipment like routers, then modifying their settings in ways that turn them into part of the actor’s malicious infrastructure. The post SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks appeared first on Microsoft Security Blog . In this article DNS hijacking attack chain: From compromised devices to AiTM and other follow-on activity Mitigation and protection guidance Microsoft Defender detection and hunting guidance Executive summary Forest Blizzard, a threat actor linked to the Russian military, has been compromising insecure home and small-office internet equipment like routers, then modifying their settings in ways that turn them into part of the actor’s malicious infrastructure. The threat actor then hides behind this legitimate but compromised infrastructure to spy on additional targets or conduct follow-on attacks. Microsoft Threat Intelligence is sharing information on this campaign to increase awareness of the risks associated with insecure home and small-office internet routing devices and give users and organizations tools to mitigate, detect, and hunt for these threats where they might be impacted. Since at least August 2025, the Russian military intelligence actor Forest Blizzard , and its sub-group tracked as Storm-2754, has conducted a large-scale exploitation of vulnerable small office/home office (SOHO) devices to hijack Domain Name System (DNS) requests and facilitate the collection of network traffic. For nation-state actors like Forest Blizzard, DNS hijacking enables persistent, passive visibility and reconnaissance at scale. By compromising edge devices that are upstream of larger targets, threat actors can take advantage of less closely monitored or managed assets to pivot into enterprise environments. Microsoft Threat Intelligence has identified over 200 organizations and 5,000 consumer devices impacted by Forest Blizzard’s malicious DNS infrastructure; telemetry did not indicate compromise of Microsoft-owned assets or services. Forest Blizzard, which primarily collects intelligence in support of Russian government foreign policy initiatives, has also leveraged its DNS hijacking activity to support post-compromise adversary-in-the-middle (AiTM) attacks on Transport Layer Security (TLS) connections against Microsoft Outlook on the web domains. This activity enables the interception of cloud-hosted content, impacting numerous sectors including government, information technology (IT), telecommunications, and energy—all usual targets for this actor. While the number of organizations specifically targeted for TLS AiTM is only a subset of the networks with vulnerable SOHO devices, Microsoft Threat Intelligence assesses that the threat actor’s broad access could enable larger-scale AiTM attacks, which might include active traffic interception. Targeting SOHO devices is not a new tactic, technique, or procedure (TTP) for Russian military intelligence actors, but this is the first time Microsoft has observed Forest Blizzard using DNS hijacking at scale to support AiTM of TLS connections after exploiting edge devices. In this blog, we share our analysis of the TTPs used by Forest Blizzard in this campaign to illustrate how threat actors leverage this attack surface. We’re also outlining mitigation and protection recommendations to reduce exposure from compromised SOHO devices, as well as Microsoft Defender detection and hunting guidance to help defenders identify and investigate related malicious activity. It’s important for organizations to account for unmanaged SOHO devices—particularly those used by remote and hybrid employees—since compromised home and small‑office network infrastructure can expose cloud access and sensitive data even when enterprise environments and cloud services themselves remain secure. DNS...