18,000 Routers, 120 Countries: How APT28's DNS Hijacking Campaign Renders Your M365 Credentials Worthless

Here is the number that should stop every security team cold: 18,000. That is how many SOHO routers Russia's GRU-backed APT28 — also tracked as Forest Blizzard and Fancy Bear — compromised across 120 countries as part of a years-long credential harvesting campaign that Microsoft Threat Intelligence and NCSC publicly exposed on April 7, 2026. The operation, codenamed FrostArmada by Lumen's Black Lotus Labs, infected more than 5,000 consumer devices and penetrated more than 200 organisations spanning government, IT, telecommunications, and energy sectors — all without touching a single endpoint or triggering a single EDR alert.

The attack worked because it did not target your users or their devices. It targeted the infrastructure between your users and Microsoft 365. By compromising TP-Link and MikroTik routers at the network edge, APT28 quietly overwrote DHCP DNS settings to redirect authentication traffic through GRU-controlled DNS servers. Every time a targeted employee typed their Outlook Web Access URL, their credentials — passwords, OAuth tokens, and session cookies — were harvested by Russian military intelligence before Microsoft ever saw the connection.

Operation Masquerade, a coordinated FBI-led takedown involving 15 countries and technical partners including Microsoft and Lumen's Black Lotus Labs, has disrupted this specific network. But here is the uncomfortable truth: the playbook is intact, the credentials already stolen remain fully usable, and nation-state actors will rebuild their infrastructure. What your organisation needs is not faith in future takedowns — it is a detection control that fires the moment those credentials are weaponized.

Why DNS Hijacking Is the Perfect Nation-State Weapon

Traditional endpoint-based attacks are increasingly difficult. Modern EDR platforms catch malware, behavioural anomalies, and living-off-the-land techniques with reasonable accuracy. Threat actors with nation-state resources responded rationally: they moved the attack to a layer where EDR cannot see at all.

DNS sits at the foundation of every network transaction. Your users do not query Microsoft's IP addresses directly; they query a name like outlook.office.com, and a DNS resolver translates that to an IP address. If the resolver is compromised — as happened in the FrostArmada campaign — it can silently return a different IP address: one pointing to an attacker-controlled server that presents a perfect replica of the Microsoft 365 login page.

The victim types their credentials. The attacker harvests them. The attacker optionally proxies the request to the real Microsoft server, so the user logs in successfully and sees no error. The entire transaction appears legitimate on every log Microsoft or the organisation possesses. There is no malware installed. No suspicious process. No lateral movement — yet.

APT28 enhanced this attack with adversary-in-the-middle (AitM) interception specifically targeting Microsoft Outlook on the Web subdomains, allowing them to steal not just passwords but OAuth tokens and session cookies. In a world of MFA-everywhere, session token theft is the skeleton key: it bypasses authenticator apps, SMS codes, and hardware tokens entirely because the attacker presents a valid authenticated session, not a raw credential.

At its operational peak in December 2025, FrostArmada had infected 18,000 devices across 120 countries. Microsoft identified more than 200 targeted organisations. The Justice Department confirmed that the compromised infrastructure was used to spy on government, military, IT, and energy sector targets — precisely the organisations that believe their MFA policies protect them.

The Security Stack That Did Not Stop It

Let us be specific about why conventional security investments offered little protection here.

Endpoint Detection and Response (EDR) operates on the endpoint. A DNS hijacking attack at the router level leaves no artefact on any endpoint. There is no malicious process, no unusual network connection initiated by the endpoint (the connection goes exactly where the user intended), and no file written to disk. EDR — even the most capable platforms — is architecturally blind to network-layer manipulation upstream of the device.

Multi-Factor Authentication (MFA) was the control that security teams believed made credential theft moot. FrostArmada dismantled that assumption. By operating as a real-time AitM proxy, APT28's infrastructure could complete the MFA challenge on behalf of the victim in real time, harvesting the resulting OAuth token and session cookie. The attacker then replays that session — which carries a valid MFA signal — at any time from any location. Conditional access policies based on IP or device compliance can help but are not bulletproof against sophisticated AitM infrastructure.

SIEM and log analytics rely on anomalies in endpoint or network telemetry that never materialise. The authentication event in Microsoft's logs shows a successful sign-in from the user's IP address (the AitM proxy forwards the connection). There is no failed login, no impossible travel event, no risky sign-in — unless the attacker makes a subsequent operational error.

Network security monitoring inside the corporate perimeter cannot observe what happens at a remote employee's home router. With hybrid and remote workforces now standard, the attack surface extends to thousands of home internet connections that no corporate firewall touches.

The fundamental problem is that all of these controls are designed to detect the attack — but APT28's DNS hijacking campaign was architecturally invisible to every one of them. Detection had to happen at the point of use.

Where Credential Mines Change the Equation

Mine2's Credential Mines operate on a different principle: rather than trying to detect the theft, they make the stolen credentials impossible to use silently.

The approach is conceptually straightforward. Mine2 plants realistic-looking fake Microsoft 365 credentials — valid-format usernames and passwords that appear in exactly the locations attackers look: Active Directory, endpoint credential stores, browser saved passwords, SharePoint documents, and developer workstations. These credentials are indistinguishable from real ones to any attacker conducting reconnaissance, exfiltration, or credential stuffing. But when an attacker attempts to authenticate with a Mine — whether through a phishing replay, credential stuffing tool, or direct authentication request — Mine2 detects the attempt in real time and triggers an alert.

Against the APT28 DNS hijacking playbook, this creates a detection layer that is architecturally independent of everything the attacker bypassed. Consider the attack sequence:

1. APT28 intercepts and harvests M365 credentials via DNS hijacking. The harvest is invisible.
2. APT28 operators sit on the credentials, typically for days or weeks, before operational use.
3. When APT28 attempts to use the harvested credentials to access target systems — email, file shares, internal portals — Credential Mines seeded in the user population fire.
4. The alert identifies the specific credential being used, the source IP attempting authentication, and the timestamp — providing forensic intelligence even when the initial harvest was undetectable.

Because Credential Mines generate zero false positives by design (no legitimate user or system authenticates with a mine credential), every alert represents a confirmed adversary action. Security teams do not need to triage a queue of ambiguous events. They know.

MineField complements Credential Mines for the post-authentication phase. Once APT28 has valid session credentials and begins exploring the internal environment — mapping file shares, enumerating service accounts, testing lateral movement paths — MineField's decoy TCP services detect port scanning and network reconnaissance at the first probe. The attacker's internal IP, timing, and behavioural fingerprint are logged before a single real asset is touched.

Cloud Mines addresses the OAuth token component of the FrostArmada harvest. APT28 specifically targeted Microsoft 365 OAuth tokens, which grant cloud resource access. Cloud Mines deploys fake AWS and Azure resource endpoints that appear as high-value targets in any cloud environment enumeration. An attacker who has successfully stolen tokens and begins cloud reconnaissance will encounter Mine assets before real production systems — triggering detection before damage is done.

Compliance Obligations That Make Deception Detection Mandatory

The FrostArmada campaign is not just a technical threat — it is a compliance and regulatory liability. Organisations in regulated industries must understand how this attack intersects with their notification and audit trail requirements.

GDPR (Articles 33 and 34) requires notification to supervisory authorities within 72 hours of becoming aware of a personal data breach, and to affected individuals without undue delay when the breach is likely to result in high risk. A DNS hijacking attack that harvests employee and customer credentials constitutes a personal data breach. Without a detection control that fires at credential use, organisations may never become "aware" within GDPR's meaning — and may face enforcement action not for the breach itself, but for the failure to detect it.

India's Digital Personal Data Protection Act (DPDP Act) imposes breach notification obligations on Data Fiduciaries and mandates the establishment of controls to prevent unauthorised access. CERT-In's 6-hour mandatory incident reporting window — one of the tightest in the world — makes rapid detection existential for Indian organisations. Credential Mines provide the real-time detection mechanism that makes 6-hour reporting achievable.

PCI-DSS v4.0 (Requirement 11) mandates ongoing testing and monitoring of security controls, with specific requirements around detection of unauthorised network access and credential compromise. Deception technology is explicitly recognised in PCI guidance as a valid compensating control for detection.

RBI and SEBI Directives for Indian financial institutions require robust access controls, continuous monitoring, and documented incident response capabilities. The RBI's cybersecurity framework specifically calls for detection of credential misuse — a requirement that conventional controls struggle to meet against nation-state AitM campaigns.

HIPAA Security Rule requires covered entities and business associates to implement technical security measures to guard against unauthorised access to ePHI transmitted over electronic networks. Credential theft enabling access to healthcare systems represents a direct HIPAA violation, and the Security Rule's audit control requirements demand evidence of monitoring — which Mine2's detection logs provide.

In each regulatory framework, Mine2's detection capability is not merely a technical control — it is the documented evidence of monitoring, detection, and response that regulators require to demonstrate due diligence.

Practical Playbook: Hardening Against DNS Hijacking and Credential Replay

Security teams cannot retrofit defences into millions of home routers. But they can implement controls that assume the theft has already happened — and make that assumption their detection advantage.

Step 1: Deploy Credential Mines across the M365 identity surface. Seed fake Microsoft 365 credentials in Active Directory, endpoint credential managers, and developer configuration files. Configure Mine2 to alert immediately on any authentication attempt using a mine credential. This provides detection regardless of how credentials were stolen.

Step 2: Enable MineField on internal network segments. Any attacker who successfully authenticates via stolen credentials and begins internal reconnaissance will encounter decoy TCP services before reaching production assets. Deploy MineField on server VLANs, database subnets, and internal application tiers.

Step 3: Harden remote network infrastructure with Fortify posture checks. Publish mandatory router configuration standards for remote workers — HTTPS-only management access, firmware update requirements, DNS-over-HTTPS enforcement. Mine2's Fortify module can validate endpoint posture to detect deviations.

Step 4: Implement Entra ID Conditional Access with strict session lifetime controls. Token lifetime reduction limits the window during which a stolen OAuth token remains usable. Combine with continuous access evaluation for high-risk sign-in detection.

Step 5: Enable DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) on managed endpoints. Encrypted DNS queries cannot be intercepted or redirected by a compromised router in the same way. This is a direct architectural counter to the DNS hijacking technique. Microsoft, Cloudflare, and Google all operate DoH resolvers that endpoints can be configured to use exclusively.

Step 6: Activate Cloud Mines on AWS and Azure tenants. Given APT28's specific focus on harvesting OAuth tokens for cloud access, seeding decoy cloud resources creates a detection layer that fires when harvested tokens are used to enumerate cloud environments.

Step 7: Subscribe to threat intelligence feeds from NCSC, CISA, and Microsoft Threat Intelligence. Operation Masquerade's disruption included publication of IoCs and adversary infrastructure identifiers. Integrate these feeds into your SIEM and firewall blocklists.

The Strategic Lesson From Operation Masquerade

Operation Masquerade succeeded because it was a coordinated, resourced, government-led takedown involving 15 countries, multiple intelligence agencies, Microsoft, and Lumen. Most organisations do not have those resources. More critically, APT28's credential harvest happened before the takedown. The 200+ organisations identified as victims already had their credentials compromised. The disruption was a network disruption — it did not un-steal anything.

This is the operational lesson that threat intelligence teams need to absorb: takedowns are a macro-level intervention that comes too late for any individual victim. Your detection controls need to operate at the point of credential use — the moment an attacker, anywhere in the world, attempts to leverage what they stole months ago.

Credential Mines are that control. They do not require visibility into the theft. They do not depend on network telemetry you do not have. They do not generate false positives that drown the signal. They fire when an attacker uses a mine credential — and that is the only moment that matters.

If APT28 compromised your employees' home routers and harvested their M365 credentials last December, you may not know yet. But if your environment is seeded with Credential Mines, you will know the moment they try.

---

Discover how Mine2 deploys Credential Mines, MineField, and Cloud Mines across your environment in under 60 minutes — with zero performance impact and zero false positives. Visit https://www.mine2.io/product to see active defense through deception in action.