One number should stop every security team cold: 18,000. That's how many SOHO routers Russia's GRU-backed APT28 — also tracked as Forest Blizzard and Fancy Bear — compromised across 120 countries as part of a years-long credential harvesting campaign that Microsoft Threat Intelligence and NCSC publicly exposed on April 7, 2026. The operation, codenamed FrostArmada by Lumen's Black Lotus Labs, infected more than 5,000 consumer devices and penetrated more than 200 organisations spanning government, IT, telecommunications, and energy sectors. All of it happened without touching a single endpoint or tripping a single EDR alert.
I've spent years tracking APT28's tradecraft, and what makes this campaign chilling isn't novelty — it's discipline. The attack worked because it didn't target your users or their devices. It targeted the infrastructure sitting between your users and Microsoft 365. By compromising TP-Link and MikroTik routers at the network edge, APT28 quietly overwrote DHCP DNS settings to route authentication traffic through GRU-controlled DNS servers. Every time a targeted employee typed their Outlook Web Access URL, their credentials — passwords, OAuth tokens, and session cookies — were harvested by Russian military intelligence before Microsoft ever saw the connection.
Operation Masquerade, a coordinated FBI-led takedown involving 15 countries and technical partners including Microsoft and Lumen's Black Lotus Labs, has disrupted this specific network. Here's the uncomfortable part, though: the playbook is intact, the credentials already stolen remain fully usable, and nation-state actors will rebuild their infrastructure. What your organisation needs isn't faith in future takedowns. You need a detection control that fires the moment those credentials get weaponized.
DNS Hijacking Is Built for Patient Adversaries
Endpoint attacks keep getting harder to pull off. Modern EDR platforms catch malware, behavioural anomalies, and living-off-the-land techniques with reasonable accuracy. So threat actors with nation-state resources did the rational thing: they moved the attack to a layer where EDR can't see at all.
DNS sits underneath every network transaction. Your users don't query Microsoft's IP addresses directly. They query a name like outlook.office.com, and a DNS resolver translates that to an IP. If the resolver is compromised — as it was in the FrostArmada campaign — it can quietly return a different IP: one pointing to an attacker-controlled server presenting a flawless replica of the Microsoft 365 login page.
The victim types their credentials. The attacker harvests them. The attacker can then proxy the request to the real Microsoft server, so the user logs in successfully and sees no error. The whole transaction looks legitimate in every log Microsoft or the organisation holds. No malware installed. No suspicious process. No lateral movement — not yet.
APT28 layered adversary-in-the-middle (AitM) interception on top, specifically targeting Microsoft Outlook on the Web subdomains, which let them steal not just passwords but OAuth tokens and session cookies. In a world of MFA-everywhere, session token theft is the skeleton key. It bypasses authenticator apps, SMS codes, and hardware tokens entirely, because the attacker presents a valid authenticated session rather than a raw credential. I've watched this same MFA-bypass pattern play out across the infostealer epidemic that's quietly defeating MFA, and the lesson is identical: once a session is valid, your strongest login control is already behind the attacker.
At its operational peak in December 2025, FrostArmada had infected 18,000 devices across 120 countries. Microsoft identified more than 200 targeted organisations. The Justice Department confirmed that the compromised infrastructure was used to spy on government, military, IT, and energy sector targets — exactly the organisations that believe their MFA policies protect them.
The Security Stack That Did Not Stop It
Let me be specific about why conventional security investments offered so little protection here.
Endpoint Detection and Response (EDR) runs on the endpoint. A DNS hijacking attack at the router level leaves no artefact on any endpoint. There's no malicious process, no unusual network connection initiated by the device (the connection goes exactly where the user intended), and no file written to disk. Even the best EDR platforms are architecturally blind to network-layer manipulation upstream of the device.
Multi-Factor Authentication (MFA) was the control security teams believed made credential theft moot. FrostArmada dismantled that assumption. Operating as a real-time AitM proxy, APT28's infrastructure could complete the MFA challenge on behalf of the victim in real time, harvesting the resulting OAuth token and session cookie. The attacker then replays that session — which carries a valid MFA signal — at any time from any location. Conditional access policies based on IP or device compliance help, but they aren't bulletproof against sophisticated AitM infrastructure.
SIEM and log analytics depend on anomalies in endpoint or network telemetry that never materialise. The authentication event in Microsoft's logs shows a successful sign-in from the user's IP address (the AitM proxy forwards the connection). There's no failed login, no impossible travel event, no risky sign-in — unless the attacker makes a later operational error.
Network security monitoring inside the corporate perimeter can't observe what happens at a remote employee's home router. With hybrid and remote workforces now standard, the attack surface stretches across thousands of home internet connections that no corporate firewall touches.
The core problem: every one of these controls is designed to detect the attack, and APT28's DNS hijacking campaign was architecturally invisible to all of them. Detection had to move to the point of use.
Where Credential Mines Change the Equation
Mine2's Credential Mines work on a different principle. Instead of trying to detect the theft, they make the stolen credentials impossible to use silently.
The idea is simple. Mine2 plants realistic-looking fake Microsoft 365 credentials — valid-format usernames and passwords that appear exactly where attackers look: Active Directory, endpoint credential stores, browser saved passwords, SharePoint documents, developer workstations. These credentials are indistinguishable from real ones to any attacker doing reconnaissance, exfiltration, or credential stuffing. But when an attacker tries to authenticate with a Mine — through a phishing replay, a credential stuffing tool, or a direct authentication request — Mine2 detects the attempt in real time and fires an alert.
Against the APT28 DNS hijacking playbook, this creates a detection layer that's architecturally independent of everything the attacker bypassed. Walk through the sequence:
- APT28 intercepts and harvests M365 credentials via DNS hijacking. The harvest is invisible.
- APT28 operators sit on the credentials, often for days or weeks, before any operational use.
- When APT28 tries to use the harvested credentials to reach target systems — email, file shares, internal portals — Credential Mines seeded across the user population fire.
- The alert names the specific credential being used, the source IP attempting authentication, and the timestamp, giving you forensic intelligence even when the original harvest was undetectable.
Because Credential Mines produce zero false positives by design — no legitimate user or system ever authenticates with a mine credential — every alert is a confirmed adversary action. Your team isn't triaging a queue of ambiguous events. They know.
MineField handles the post-authentication phase. Once APT28 holds valid session credentials and starts exploring the internal environment — mapping file shares, enumerating service accounts, testing lateral movement paths — MineField's decoy TCP services catch port scanning and network reconnaissance at the first probe. The attacker's internal IP, timing, and behavioural fingerprint get logged before a single real asset is touched. This is the same dynamic I broke down in our look at service account lateral movement and how Credential Mines surface it.
Cloud Mines addresses the OAuth token component of the FrostArmada harvest. APT28 specifically targeted Microsoft 365 OAuth tokens, which grant cloud resource access. Cloud Mines deploys fake AWS and Azure resource endpoints that read as high-value targets during any cloud environment enumeration. An attacker who has successfully stolen tokens and starts cloud reconnaissance hits a Mine asset before any real production system — triggering detection before damage is done. If you want the mechanics of token-driven cloud pivots, our breakdown of device code phishing and OAuth token abuse covers the same attacker model.
Compliance Obligations That Make Deception Detection Mandatory
FrostArmada isn't only a technical threat. It's a compliance and regulatory liability. Organisations in regulated industries need to understand how this attack intersects with their notification and audit trail requirements.
GDPR (Articles 33 and 34) requires notification to supervisory authorities within 72 hours of becoming aware of a personal data breach, and to affected individuals without undue delay when the breach is likely to result in high risk. A DNS hijacking attack that harvests employee and customer credentials is a personal data breach. Without a detection control that fires at credential use, organisations may never become "aware" within GDPR's meaning — and could face enforcement action not for the breach itself, but for failing to detect it.
India's Digital Personal Data Protection Act (DPDP Act) imposes breach notification obligations on Data Fiduciaries and mandates controls to prevent unauthorised access. CERT-In's 6-hour mandatory incident reporting window — one of the tightest in the world — makes rapid detection existential for Indian organisations. Credential Mines provide the real-time detection that makes 6-hour reporting achievable.
PCI-DSS v4.0 (Requirement 11) mandates ongoing testing and monitoring of security controls, with specific requirements around detection of unauthorised network access and credential compromise. Deception technology is explicitly recognised in PCI guidance as a valid compensating control for detection.
RBI and SEBI Directives for Indian financial institutions require strong access controls, continuous monitoring, and documented incident response. The RBI's cybersecurity framework specifically calls for detection of credential misuse — a requirement conventional controls struggle to meet against nation-state AitM campaigns.
HIPAA Security Rule requires covered entities and business associates to implement technical security measures guarding against unauthorised access to ePHI transmitted over electronic networks. Credential theft that enables access to healthcare systems is a direct HIPAA violation, and the Security Rule's audit control requirements demand evidence of monitoring — which Mine2's detection logs provide.
Across every one of these frameworks, Mine2's detection capability isn't merely a technical control. It's the documented evidence of monitoring, detection, and response that regulators require to show due diligence.
Practical Playbook: Hardening Against DNS Hijacking and Credential Replay
You can't retrofit defences into millions of home routers. But you can build controls that assume the theft already happened — and turn that assumption into your detection advantage.
Step 1: Deploy Credential Mines across the M365 identity surface. Seed fake Microsoft 365 credentials in Active Directory, endpoint credential managers, and developer configuration files. Configure Mine2 to alert immediately on any authentication attempt using a mine credential. This gives you detection regardless of how credentials were stolen.
Step 2: Enable MineField on internal network segments. Any attacker who authenticates with stolen credentials and starts internal reconnaissance hits decoy TCP services before reaching production assets. Deploy MineField on server VLANs, database subnets, and internal application tiers.
Step 3: Harden remote network infrastructure with Fortify posture checks. Publish mandatory router configuration standards for remote workers — HTTPS-only management access, firmware update requirements, DNS-over-HTTPS enforcement. Mine2's Fortify module can validate endpoint posture to catch deviations.
Step 4: Implement Entra ID Conditional Access with strict session lifetime controls. Shorter token lifetimes shrink the window during which a stolen OAuth token stays usable. Pair this with continuous access evaluation for high-risk sign-in detection.
Step 5: Enable DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) on managed endpoints. Encrypted DNS queries can't be intercepted or redirected by a compromised router the same way. This is a direct architectural counter to the DNS hijacking technique. Microsoft, Cloudflare, and Google all run DoH resolvers that endpoints can be configured to use exclusively.
Step 6: Activate Cloud Mines on AWS and Azure tenants. Given APT28's specific focus on harvesting OAuth tokens for cloud access, seeding decoy cloud resources creates a detection layer that fires when harvested tokens are used to enumerate cloud environments.
Step 7: Subscribe to threat intelligence feeds from NCSC, CISA, and Microsoft Threat Intelligence. Operation Masquerade's disruption included publication of IoCs and adversary infrastructure identifiers. Feed these into your SIEM and firewall blocklists.
The Strategic Lesson From Operation Masquerade
Operation Masquerade succeeded because it was a coordinated, resourced, government-led takedown involving 15 countries, multiple intelligence agencies, Microsoft, and Lumen. Most organisations don't have those resources. And here's the part that matters more: APT28's credential harvest happened before the takedown. The 200+ organisations identified as victims already had their credentials compromised. The disruption was a network disruption — it didn't un-steal anything.
That's the operational lesson threat intelligence teams need to absorb. Takedowns are a macro-level intervention that arrives too late for any individual victim. Your detection controls need to operate at the point of credential use — the moment an attacker, anywhere in the world, tries to use what they stole months ago.
Credential Mines are that control. They don't require visibility into the theft. They don't depend on network telemetry you don't have. They don't bury the signal under false positives. They fire when an attacker uses a mine credential, and that's the only moment that matters.
If APT28 compromised your employees' home routers and harvested their M365 credentials last December, you may not know yet. But if your environment is seeded with Credential Mines, you'll know the moment they try.
Want to see active defense through deception running against this exact playbook? Mine2 deploys Credential Mines, MineField, and Cloud Mines across your environment in under 60 minutes — zero performance impact, zero false positives. Take a look at https://www.mine2.io/product.
Riya
Principal Threat Researcher, Mine2 Labs
Riya tracks active threat campaigns and APT tradecraft at Mine2 Labs, translating real-world attacker behaviour into practical detection ideas.
Recent Articles
One Token, Dozens of Victims: How the Anodot SaaS Integration Breach Rewrites the Third-Party Risk Playbook
13 Million Tickets, One Request: How the Adobe BPO Breach Exposes the Third-Party Credential Blind Spot
100 Million Downloads, One Poisoned Package: How the Axios npm Attack Proves Developer Credentials Are the New Crown Jewels
Need Security Help?
Protect your organization with MINE2's cyber deception platform.
