Microsoft Warns Forest Blizzard Hijacked SOHO Routers for DNS Hijacking and AiTM Attacks
Microsoft Threat Intelligence has warned that Forest Blizzard, a threat actor linked to Russian military intelligence, has been compromising vulnerable home and small-office routers and repurposing them as part of a broader espionage infrastructure. According to Microsoft, the actor has been abusing insecure SOHO devices since at least August 2025, modifying their DNS settings to redirect traffic through actor-controlled resolvers and using that foothold to support passive collection, reconnaissance, and in selected cases, adversary-in-the-middle attacks against higher-value targets.
The campaign is important because it shows how threat actors can bypass better-defended enterprise environments by first compromising the less monitored infrastructure sitting upstream of them. Rather than directly attacking a large target’s core network, Microsoft says Forest Blizzard altered the default network configuration on internet edge devices so that connected systems would send DNS queries to attacker-controlled servers. That kind of access provides broad visibility into destination lookups and can reveal which services, applications, and cloud platforms users inside affected networks are trying to reach.
Microsoft attributes the operational component of the activity to Storm-2754, a subgroup it links to Forest Blizzard. The company says it has identified more than 200 organizations and about 5,000 consumer devices affected by the malicious DNS infrastructure, while noting that its own assets and services were not compromised. Even so, the scale is notable because DNS hijacking at this level gives the actor a durable and low-noise collection position across a wide set of networks.
At the center of the campaign is DNS hijacking. Microsoft says Forest Blizzard gained access to vulnerable edge routers and then changed their settings so connected endpoints would resolve domains through infrastructure controlled by the actor. In most home and small-office environments, endpoint devices inherit DNS settings automatically through DHCP, so once the router is altered, every downstream system begins sending its lookups to the attacker without the user doing anything at all.
Microsoft assesses that the actor is almost certainly using dnsmasq as part of this operation. dnsmasq is a legitimate lightweight networking utility commonly used in small routers to provide DNS forwarding, caching, and DHCP services. That makes it a practical tool for malicious reuse. It lets the attacker both listen on port 53 and transparently forward or manipulate DNS traffic while blending in with expected router behavior.
The campaign becomes more serious when it moves from passive DNS visibility to AiTM. Microsoft says that in most observed cases, the hijacked DNS requests were transparently proxied to the legitimate destination, allowing the actor to collect intelligence without interrupting user activity. But in a smaller number of incidents, Forest Blizzard spoofed DNS responses for specifically chosen domains, forcing victims to connect to attacker-controlled infrastructure instead of the genuine service. That infrastructure then presented an invalid TLS certificate while impersonating the real site. If the victim ignored the certificate warning, the actor could intercept the plaintext traffic inside the TLS session.
Microsoft says it observed this follow-on activity against a subset of domains associated with Microsoft Outlook on the web. In separate activity, the company also identified AiTM attacks targeting non-Microsoft servers in at least three government organizations in Africa. In both cases, the value of the router compromise was not the router itself. It was the attacker’s ability to sit in the resolution path and selectively redirect high-value connections when intelligence priorities justified a more active intrusion.
The technical model here is deceptively simple. A compromised SOHO router does not need to exploit Microsoft 365 or break enterprise cloud infrastructure directly. It only needs to influence where a victim system goes when it asks, “Where is this domain?” Once that answer is manipulated, the attacker can insert a malicious hop into the communication path. That makes DNS control a powerful precondition for session interception, credential theft, and traffic collection even when the cloud service itself remains secure. This is an inference based on Microsoft’s described attack chain and the role of DNS in endpoint connectivity.
Microsoft frames the campaign as part of Forest Blizzard’s longstanding intelligence mission in support of Russian foreign policy priorities. The affected sectors it names, including government, information technology, telecommunications, and energy, are consistent with classic espionage targeting. The company also notes that while only a subset of compromised environments was used for TLS AiTM, the broader access position could enable larger-scale active interception in the future if the actor chose to expand beyond the currently observed activity.
From a defensive standpoint, one of Microsoft’s central warnings is that organizations often overlook unmanaged home and small-office network equipment, especially in remote and hybrid work environments. A company may harden endpoints, cloud identity, and enterprise VPN infrastructure, yet still be exposed if an employee connects through a compromised home router that silently redirects DNS. In that model, the weakest point is not always inside the corporate estate. It is sometimes the consumer-grade edge device sitting between the employee and the internet.
Microsoft recommends several mitigation steps. On the DNS side, it advises enforcing trusted DNS through Zero Trust DNS controls on Windows endpoints, blocking known malicious domains, maintaining detailed DNS logs, and enabling network and web protection through Microsoft Defender for Endpoint. It also explicitly warns organizations to avoid using home-router-style solutions in corporate environments. On the identity side, it recommends centralized identity management, strong MFA, passkeys, Conditional Access, continuous access evaluation, and risk-based sign-in policies to limit the downstream impact if credentials are intercepted in AiTM activity.
The hunting guidance Microsoft provides reflects the reality that the initial compromise happens at the router, where many organizations have little or no telemetry. As a result, defenders are encouraged to focus on post-compromise indicators, such as unusual modifications to DNS settings on Windows devices, highly suspicious risky sign-ins, and unusual Microsoft 365 user activity like mailbox searches or message access. Microsoft also highlights Defender alerts such as Forest Blizzard Actor activity detected and Storm-2754 activity, along with Entra ID threat intelligence sign-in detections tied to known Forest Blizzard patterns.
The broader lesson is that DNS is no longer just background plumbing in the threat model. It is an attack surface, a visibility layer, and in the wrong hands, a traffic control system. Forest Blizzard’s campaign shows how a relatively low-cost compromise of poorly secured edge routers can be converted into a scalable collection and interception platform that reaches into enterprise and cloud workflows without touching the core service itself. That is what makes this operation strategically significant. The actor is not only compromising routers. It is weaponizing trust in the network path itself.
Reference Links and Sources
