Russia Exploits Router Flaws to Harvest Microsoft Office Tokens

Security researchers have linked a new wave of cyber‑attacks to Russia’s military intelligence, specifically the APT groups tied to the GRU, which are actively exploiting known vulnerabilities in legacy internet routers to conduct large‑scale token harvesting from Microsoft Office users. By leveraging unpatched firmware flaws in older Cisco, Huawei and MikroTik devices, the attackers redirect authentication traffic and extract the OAuth tokens that Microsoft Office uses for single sign‑on, effectively bypassing traditional password checks.

The stolen tokens grant the adversaries the same level of access as a legitimate user, allowing them to read emails, modify documents in SharePoint, and move laterally within cloud environments without triggering multi‑factor authentication prompts. According to a detailed analysis by KrebsOnSecurity, the campaign is estimated to have harvested millions of tokens over the past several months, with the primary targets being government agencies, defense contractors and multinational corporations that rely heavily on Microsoft’s productivity suite.

Organizations are advised to immediately audit router firmware, apply the latest security patches, and disable unused management interfaces to reduce the attack surface. In addition, deploying token‑monitoring solutions, enforcing Conditional Access policies, and requiring phishing‑resistant multi‑factor authentication can help detect and block the misuse of compromised credentials. Security teams should also review sign‑in logs for anomalous patterns, such as simultaneous token usage from disparate geographic locations, which is a hallmark of token theft operations.