Russian Hackers Exploit Router Flaws for Microsoft Office Token Theft — How to Identify & Stay Safe

INDIA — By BharatSecure Threat Intelligence Team · Updated Apr 30, 2026

Severity: HIGH | View Full Scam Details

Microsoft Office Hacked in India via Router Flaws: Protect Yourself in 2026

Russian hackers are targeting Microsoft Office users in India by exploiting weaknesses in older routers, potentially giving them access to your accounts.

What Is the Russian Hackers Exploit Router Flaws for Microsoft Office Token Theft?

This scam involves sophisticated Russian hacking groups, specifically those linked to military intelligence units like APT28 (also known as Forest Blizzard), targeting vulnerabilities in older internet routers commonly used in Indian homes and small businesses. The hackers' goal is to steal Microsoft Office authentication tokens – the digital "keys" that allow you to log in to your Microsoft accounts. Millions of Indians rely on Microsoft Office for work, communication, and personal use, making this a widespread threat. Cybercriminals are aware that many Indian users rely on older routers that may not be up-to-date with the latest security patches, making them easier targets.

Unlike traditional hacking methods that rely on malware, this attack subtly manipulates the router's DNS (Domain Name System) settings. By changing these settings, hackers can redirect your internet traffic to servers they control. This allows them to intercept your Microsoft Office login credentials when you try to access your account, potentially giving them full control of your email, documents, and other sensitive information stored in your Microsoft account. There are no official advisories on this specific campaign from RBI, CERT-In, or I4C, but ongoing warnings about router security and phishing attacks are released regularly.

The success of this scam relies on the fact that many users do not regularly update their router's firmware or change the default passwords, making them easy targets for exploitation.

How This Scam Works — Step by Step

Here's the typical sequence of events in this scam:

1. Router Compromise: Hackers identify and exploit vulnerabilities in common router models, particularly older ones with known security flaws.
2. DNS Hijacking: Once inside your router, the criminals change the DNS settings. This directs your internet traffic to their malicious servers.
3. Fake Login Page: When you attempt to log in to Microsoft Office (through a website or application), you're unknowingly directed to a fake login page that looks identical to the real one.
4. Token Theft: As you enter your username and password, the fake login page captures this information, including your authentication token. This token is then sent to the hackers.
5. Account Access: With your stolen token, the hackers gain complete control of your Microsoft Office account. They can read your emails, access your documents, send messages posing as you, and potentially steal sensitive data.
6. Lateral Movement: In some cases, hackers may use this initial access to target other accounts, systems, or networks you are connected to, increasing the scope of the attack.

Real Warning Signs to Watch For

• Unusual Login Prompts: Be wary of unexpected login requests from Microsoft Office, especially if they appear more frequently than usual.
• Slow Internet Speed: If your internet speed suddenly slows down, it might indicate that your router has been compromised and your traffic is being redirected.
• Website Redirections: Notice any unexpected redirections when browsing to familiar websites, particularly Microsoft sites.
• Strange Router Settings: Check your router's settings regularly for any unauthorized changes to the DNS settings or other configurations. The default DNS is usually provided by your ISP.
• Suspicious Emails or Documents: Be cautious of emails or documents requesting your Microsoft Office login credentials or containing suspicious links.
• Antivirus Warnings: Heed any warnings from your antivirus software, especially those related to network security or suspicious websites.
• Router Firmware Updates: Neglecting router firmware updates for extended periods can also serve as a red flag, indicating a potential vulnerability waiting to be exploited.

What Happens to Victims

The consequences of falling victim to this scam can be severe. You could lose access to your important documents, emails, and other data stored in your Microsoft account. Financial information stored in your emails or documents could be compromised, leading to potential financial fraud. In more extreme cases, hackers might use your account to spread malware or phishing scams targeting your contacts, damaging your reputation and potentially leading to further financial losses.

In India, the compromised accounts can be used to access sensitive information like Aadhaar details or PAN numbers, which can then be used for identity theft and financial fraud. The hackers might also use your compromised account to send fraudulent UPI payment requests to your contacts, leading to direct financial losses for both you and your network. A SIM swap scam, facilitated by the access to your email and contacts, can inflict more severe financial and reputational damage.

What RBI and CERT-In Say

While there might not be a specific advisory addressing this exact router-based Microsoft Office hack, both the Reserve Bank of India (RBI) and the Indian Computer Emergency Response Team (CERT-In) regularly issue warnings about phishing attacks, malware threats, and the importance of maintaining good cybersecurity hygiene. CERT-In provides guidelines on securing your home and office networks, including steps to protect your router. The RBI also encourages users to report any instances of financial fraud to their bank and the cybercrime helpline (1930). Remember: staying informed and vigilant is your best defense.

How to Protect Yourself

1. Update Your Router Firmware: Regularly update your router's firmware to the latest version released by the manufacturer. These updates often include critical security patches.
2. Change Default Router Credentials: Change the default username and password of your router to a strong, unique combination.
3. Use Strong Passwords: Use strong, unique passwords for your Microsoft Office account and other online accounts.
4. Enable Two-Factor Authentication (2FA): Enable 2FA for your Microsoft Office account to add an extra layer of security. Require a code from your phone or authenticator app in addition to your password.
5. Use a Reputable Antivirus Software: Install and maintain a reputable antivirus software on your computer and other devices.
6. Monitor Router Logs: It’s good practice to monitor your router logs regularly for any suspicious activity.
7. Consider a More Secure Router: If you have an older router, consider upgrading to a newer model with improved security features.

What to Do If You've Been Targeted

If you suspect that your router or Microsoft Office account has been compromised:

• Change Your Passwords Immediately: Change the passwords for your Microsoft Office account, router, and other important online accounts.
• Enable Two-Factor Authentication: If you haven't already, enable 2FA for your Microsoft Office account and other important online accounts.
• Scan Your Devices with Antivirus Software: Run a full system scan with your antivirus software to detect and remove any malware.
• Report the Incident: Report the incident to the National Cyber Crime Reporting Portal at cybercrime.gov.in and call the cybercrime helpline at 1930.
• Contact Your Bank: If you suspect any financial fraud, contact your bank immediately to freeze your accounts and report the incident.
• Contact Microsoft Support: Reach out to Microsoft support for assistance in securing your compromised account.

Frequently Asked Questions

Q: How can I tell if my router has been hacked?

A: Look for signs like slow internet speed, unusual website redirections, unfamiliar devices connected to your network, and changes to your router's settings without your knowledge.

Q: What is a DNS setting, and why is it important?

A: DNS settings translate website names (like bharatsecure.app) into IP addresses that computers use to locate websites. Hackers manipulate these settings to redirect you to fake websites that steal your information.

Q: Can I get my money back if I lose it in this scam?

A: It's difficult, but not impossible. Report the fraud to your bank immediately and file a cybercrime complaint. The sooner you act, the better your chances of recovering lost funds, especially if the money was sent via UPI. Some UPI apps offer a dispute resolution mechanism.

Verify any suspicious messages or links at BharatSecure.app before clicking.