Authorities Crack Down on Router DNS Hijacks Targeting Microsoft 365 Logins
International Operation Disrupts Router-Based DNS Hijacks Targeting Microsoft 365 Logins
A significant joint effort by law enforcement authorities and private companies has successfully disrupted FrostArmada, a notorious APT28 campaign that compromised local traffic from MikroTik and TP-Link routers to steal Microsoft account credentials.
The FrostArmada attacks primarily targeted small office/home office (SOHO) routers, altering the domain name system (DNS) settings to point to virtual private servers (VPS) under the hackers’ control. These VPS acted as DNS resolvers, allowing APT28 to intercept authentication traffic to targeted domains and steal Microsoft logins and OAuth tokens.
At its peak in December 2025, FrostArmada infected 18,000 devices across 120 countries, primarily targeting government agencies, law enforcement, IT and hosting providers, and organizations operating their own servers.
Microsoft collaborated closely with Black Lotus Labs (BLL), Lumen’s threat research and operations division, to map the malicious activity and identify victims. With support from the FBI, the US Department of Justice, and the Polish government, the offending infrastructure has been taken offline.
FrostArmada targeted internet-exposed routers, primarily MikroTik and TP-Link, as well as some firewall products from Nethesis and older Fortinet models. Compromised devices communicated with the attackers’ infrastructure and received DNS configuration changes that redirected traffic to malicious VPS nodes.
The new DNS settings were automatically pushed to internal devices via the Dynamic Host Configuration Protocol (DHCP).
- The compromised routers communicated with the attackers’ infrastructure and received DNS configuration changes that redirected traffic to malicious VPS nodes.
- The new DNS settings were automatically pushed to internal devices via the Dynamic Host Configuration Protocol (DHCP).
- The only visible sign of the attack was a warning for an invalid TLS certificate, which could be easily dismissed.
However, ignoring the alert granted the threat actor access to the victim’s unencrypted internet communication. The actor effectively ran a proxy service as the AitM, directing the end-user to via DNS. The only sign of this attack would be a pop-up warning about connecting to an untrusted source due to the ‘break and inspect’ configuration.
If warnings were present and ignored or clicked through, the actor proxied requests to the legitimate services, collecting data at the midpoint and collecting data associated with the targeted account by passing the valid OAuth token.
In some instances, however, the hackers spoofed DNS responses for certain domains, forcing affected endpoints to connect to the attack infrastructure, according to Microsoft.
Lumen reports that FrostArmada operated in two distinct clusters: one dedicated to device compromise and botnet growth (the “Expansion team”) and another handling AitM and credential collection operations.
Black Lotus Labs observed that FrostArmada activity increased sharply following an August 2025 report from the National Cyber Security Centre (NCSC) in the UK describing a Forest Blizzard toolset that targeted Microsoft account credentials and tokens.
Microsoft confirmed that APT28 carried out AitM attacks against domains associated with the Microsoft 365 service, including subdomains for Microsoft Outlook on the web, which have also been targeted.
Additionally, the company observed this activity on servers belonging to three government organizations in Africa that were not hosted on Microsoft infrastructure. In those attacks, “Forest Blizzard intercepted DNS requests and conducted follow-on collection.”
Black Lotus Labs identified several indicators of compromise for the VPS servers used during the FrostArmada campaign:
- IP address: `64.120.31[.]96`
- First seen: `May 19, 2025`
- Last seen: `March 31, 2026`
Defenders are recommended to implement certificate pinning for corporate devices (laptops, mobile phones) controlled via an MDM solution, which would generate an error when the attacker tries to intercept and analyze traffic on their VPS infrastructure.
Another recommendation is to minimize the attack surface through patching, limiting exposure on the public web, and removing all end-of-life equipment.
Microsoft and the NCSC provided a list of
About Author
English