DNS Hijacking Attacks via SOHO Routers: Microsoft Warns
Summary
Microsoft Threat Intelligence says Forest Blizzard has been compromising vulnerable home and small-office routers to hijack DNS traffic and, in some cases, enable adversary-in-the-middle attacks against targeted connections. The campaign matters to IT teams because unmanaged SOHO devices used by remote and hybrid workers can expose cloud access and sensitive data even when corporate environments remain secure.
Audio Summary
Introduction
Microsoft has disclosed a large-scale campaign in which Forest Blizzard, a threat actor linked to Russian military intelligence, compromised vulnerable SOHO routers and changed their DNS settings. For organizations with remote and hybrid workers, this is a critical reminder that unmanaged home and small-office network gear can become a blind spot that exposes Microsoft 365 access and other sensitive traffic.
What’s new
According to Microsoft Threat Intelligence, the actor has been active since at least August 2025 and has used compromised edge devices to build malicious DNS infrastructure at scale.
Key findings
- Forest Blizzard altered router configurations to point devices to actor-controlled DNS resolvers.
- Microsoft identified more than 200 organizations and 5,000 consumer devices affected by the malicious DNS infrastructure.
- The campaign enabled passive DNS collection and reconnaissance across targeted networks.
- In a subset of cases, the actor used this position to support Transport Layer Security (TLS) adversary-in-the-middle (AiTM) attacks.
- Microsoft observed follow-on targeting of Outlook on the web domains and separate AiTM activity against government servers in Africa.
Why this matters for IT administrators
The most important takeaway is that enterprise security controls do not fully protect traffic if a user’s upstream router is compromised. A home or small-office router can silently redirect DNS lookups, giving an attacker visibility into requested domains and, in selected scenarios, the opportunity to spoof responses and attempt traffic interception.
For Microsoft 365 customers, this is especially relevant where users access Outlook on the web or other cloud services from unmanaged networks. Even if Microsoft services themselves are not compromised, users may still be exposed if they ignore invalid TLS certificate warnings or if suspicious DNS activity goes undetected.
Recommended actions
Microsoft recommends several immediate mitigation steps:
- Review risks tied to remote users’ home and small-office networking equipment.
- Enforce trusted DNS resolution where possible, including Zero Trust DNS (ZTDNS) controls on Windows endpoints.
- Enable network protection and web protection in Microsoft Defender for Endpoint.
- Block known malicious domains and retain detailed DNS logs for monitoring and investigation.
- Audit router and edge device configurations, especially DNS and DHCP settings.
- Ensure vulnerable SOHO devices are patched, securely configured, or replaced if no longer supported.
- Train users not to bypass TLS certificate warnings.
Bottom line
This campaign shows how attackers can exploit weakly managed edge devices to gain visibility into higher-value enterprise targets. Security teams should expand their threat model beyond corporate infrastructure and account for home-office networking equipment as part of remote access and Microsoft 365 protection strategies.
Need help with Security?
Our experts can help you implement and optimize your Microsoft solutions.
Talk to an ExpertStay updated on Microsoft technologies