Security

DNS Hijacking Attacks via SOHO Routers: Microsoft Warns

3 min read

Summary

Microsoft Threat Intelligence says Forest Blizzard has been compromising vulnerable home and small-office routers to hijack DNS traffic and, in some cases, enable adversary-in-the-middle attacks against targeted connections. The campaign matters to IT teams because unmanaged SOHO devices used by remote and hybrid workers can expose cloud access and sensitive data even when corporate environments remain secure.

Need help with Security?Talk to an Expert

Introduction

Microsoft has disclosed a large-scale campaign in which Forest Blizzard, a threat actor linked to Russian military intelligence, compromised vulnerable SOHO routers and changed their DNS settings. For organizations with remote and hybrid workers, this is a critical reminder that unmanaged home and small-office network gear can become a blind spot that exposes Microsoft 365 access and other sensitive traffic.

What’s new

According to Microsoft Threat Intelligence, the actor has been active since at least August 2025 and has used compromised edge devices to build malicious DNS infrastructure at scale.

Key findings

  • Forest Blizzard altered router configurations to point devices to actor-controlled DNS resolvers.
  • Microsoft identified more than 200 organizations and 5,000 consumer devices affected by the malicious DNS infrastructure.
  • The campaign enabled passive DNS collection and reconnaissance across targeted networks.
  • In a subset of cases, the actor used this position to support Transport Layer Security (TLS) adversary-in-the-middle (AiTM) attacks.
  • Microsoft observed follow-on targeting of Outlook on the web domains and separate AiTM activity against government servers in Africa.

Why this matters for IT administrators

The most important takeaway is that enterprise security controls do not fully protect traffic if a user’s upstream router is compromised. A home or small-office router can silently redirect DNS lookups, giving an attacker visibility into requested domains and, in selected scenarios, the opportunity to spoof responses and attempt traffic interception.

For Microsoft 365 customers, this is especially relevant where users access Outlook on the web or other cloud services from unmanaged networks. Even if Microsoft services themselves are not compromised, users may still be exposed if they ignore invalid TLS certificate warnings or if suspicious DNS activity goes undetected.

Microsoft recommends several immediate mitigation steps:

  • Review risks tied to remote users’ home and small-office networking equipment.
  • Enforce trusted DNS resolution where possible, including Zero Trust DNS (ZTDNS) controls on Windows endpoints.
  • Enable network protection and web protection in Microsoft Defender for Endpoint.
  • Block known malicious domains and retain detailed DNS logs for monitoring and investigation.
  • Audit router and edge device configurations, especially DNS and DHCP settings.
  • Ensure vulnerable SOHO devices are patched, securely configured, or replaced if no longer supported.
  • Train users not to bypass TLS certificate warnings.

Bottom line

This campaign shows how attackers can exploit weakly managed edge devices to gain visibility into higher-value enterprise targets. Security teams should expand their threat model beyond corporate infrastructure and account for home-office networking equipment as part of remote access and Microsoft 365 protection strategies.

Need help with Security?

Our experts can help you implement and optimize your Microsoft solutions.

Talk to an Expert

Stay updated on Microsoft technologies

DNS hijackingSOHO routersMicrosoft DefenderAiTMForest Blizzard

Related Posts

Security

Cloud Security Posture Management Trends for 2026

Frost & Sullivan’s 2025 Frost Radar shows cloud security posture management is shifting from periodic compliance checks to continuous, risk-based governance within CNAPP platforms. For IT and security teams, the key takeaway is clear: prioritize tools that unify posture, identity, workload, and data signals to reduce risk faster across multicloud environments.

Security

Microsoft CSP Security: New Partner Ecosystem Protections

Microsoft outlined how it is strengthening security across its Cloud Solution Provider ecosystem to reduce partner-led attacks on customer environments. The update focuses on tighter partner vetting, mandatory tenant security requirements, least-privilege access through GDAP, and stronger monitoring and response capabilities.

Security

Microsoft Frost Radar 2026: Cloud Runtime Security

Microsoft has been named a leader in Frost & Sullivan’s 2026 Frost Radar for Cloud/Application Runtime Security, highlighting its unified approach to cloud and application risk reduction. The recognition matters to security teams because it reflects a broader market shift toward prioritizing exploitable attack paths across code, cloud, runtime, identity, and SOC workflows.

Security

Quantum-Safe Security: Microsoft Targets 2029

Microsoft is accelerating its quantum-safe security roadmap and now aims to transition critical products and services to post-quantum cryptography by 2029. The update matters because IT teams need to start cryptographic inventory, crypto-agility planning, and TLS 1.3 modernization sooner as the risk timeline for quantum attacks moves closer.

Security

Securing AI Agents: MCP Tool Poisoning Risks

Microsoft Incident Response warns that as AI agents move from reading content to taking actions, poisoned Model Context Protocol (MCP) tool metadata can silently redirect agent behavior and expose sensitive data. The guidance outlines how to detect, contain, and prevent this emerging supply chain risk using controls across Copilot Studio, Entra, Purview, Defender, and Sentinel.

Security

Microsoft Security June 2026: Key Updates for IT

Microsoft’s June 2026 security updates introduce new protections for AI agents, stronger identity recovery in Entra, expanded multicloud coverage in Defender for Cloud, and more flexible reporting in Purview. These changes matter for IT and security teams because they improve visibility, speed remediation, and help protect identities, data, endpoints, and cloud workloads across hybrid environments.