Russian Hackers Exploit Router Flaws to Steal Microsoft Office Authentication Tokens — How to Identify & Stay Safe

Severity: HIGH | View Full Scam Details

Russian Hackers Exploit Router Flaws to Steal Microsoft Office Authentication Tokens in India — Scam Alert 2026

Russian hacker groups are targeting outdated internet routers in India to steal Microsoft Office authentication tokens, putting millions of users at high risk of data theft and fraud.

What Is the Russian Hackers Exploit Router Flaws to Steal Microsoft Office Authentication Tokens?

This troubling scam involves a sophisticated group known as Forest Blizzard or APT28, believed to be Russian state-backed hackers, exploiting security weaknesses found in older router models commonly used in Indian homes and small offices. These flaws allow the hackers to quietly change the router's DNS settings — the system that translates website names into IP addresses — without users’ knowledge.

By redirecting users to fake Microsoft login pages, these hackers can steal authentication tokens. These tokens act like digital keys that allow access to Microsoft Office accounts, including Outlook email, OneDrive files, and Teams communications. Since many Indian offices, educational institutions, and government bodies heavily rely on Microsoft 365 services, this exposes a vast number of users and sensitive data to cybercriminal attacks.

According to CERT-In (Indian Computer Emergency Response Team), router security is a growing concern, and many breaches like these go unreported because users remain unaware that their credentials have been compromised. RBI and the I4C (Indian Cyber Crime Coordination Centre) also flag this as a high-severity risk (7/10), urging users to update their devices and monitor account activity closely.

How This Scam Works — Step by Step

1. Identifying Vulnerable Routers: Hackers scan the internet for routers that have outdated firmware or weak default passwords—very common in Indian households and small businesses using budget routers.

2. DNS Hijacking: Once inside, they change the DNS settings on these routers. This means when users try to access Microsoft Office login pages, their browsers are redirected to look-alike fake websites controlled by the hackers.

3. Phishing Login Page: The victim sees an authentic-looking Microsoft login screen and enters their credentials—often prompted multiple times due to token refreshing.

4. Stealing Authentication Tokens: Without installing any malware or alerting antivirus programs, the hackers silently capture authentication tokens sent to grant access to Microsoft 365 services.

5. Account Takeover: Using these tokens, hackers log into the victim’s Office accounts, stealing emails, confidential documents, and potentially accessing linked financial data.

6. Further Exploitation: Stolen tokens and data can be used for targeted phishing attacks, identity theft, or even unauthorized UPI payment requests, leveraging compromised email accounts to trick contacts.

Real Warning Signs to Watch For

• Unexpected requests to re-enter Microsoft credentials multiple times in quick succession.
• Unusual login alert emails from Microsoft indicating sign-in from new locations or devices.
• Slow or inconsistent internet browsing speeds indicating DNS redirection.
• Suspicious or unknown email messages sent from your Microsoft Outlook account to your contacts.
• Router admin page access error or settings changed without your knowledge.
• Frequent popup warnings about expired certificates on Microsoft login pages.
• Sudden locking out from Microsoft accounts coupled with unexpected password resets.

What Happens to Victims

Victims can suffer severe financial and emotional losses. With access to Microsoft accounts, hackers can retrieve Aadhaar-linked documents saved on OneDrive, compromise business contracts, or intercept tax filings. For Indian users, this breach often leads to fraudulent transactions via UPI apps as the attackers exploit email communications to convince contacts to transfer funds or share sensitive details.

Unlike UPI transactions that allow reversals under RBI rules, digital identity theft from Microsoft accounts is challenging to reverse, resulting in long-term damage. Victims also face psychological stress, loss of reputation, and painstaking efforts to restore trust and secure their digital identities.

What RBI and CERT-In Say

While CERT-In has urged all internet users and service providers to update firmware and implement strong router password policies, the RBI highlights the importance of secure digital banking sessions and warns about phishing schemes targeting corporate emails linked to finances.

For urgent help, CERT-In operates the cybercrime helpline at 1930 to report incidents. RBI’s customer helpline for banking frauds is also available for assistance, emphasizing vigilance even in email communications tied to financial transactions.

The I4C continues to coordinate with ISPs and cybersecurity experts to identify such router-based exploits and spread awareness tailored to Indian digital infrastructure.

How to Protect Yourself

1. Update Router Firmware Regularly: Check your router’s admin panel and download the latest security patches from the manufacturer’s website.
2. Change Default Router Passwords: Use a strong, unique password different from the default one.
3. Enable Two-Factor Authentication (2FA) on Microsoft Accounts: This adds an extra layer of security beyond just a password.
4. Check DNS Settings on Your Router: Ensure they point only to trusted servers (e.g., Google DNS: 8.8.8.8, 8.8.4.4).
5. Monitor Microsoft Account Activity: Regularly review recent logins and sign out of unfamiliar devices.
6. Beware of Suspicious Login Prompts: Don’t enter credentials on pages that appear repeatedly or look fake.
7. Use Secured Wi-Fi Networks: Avoid using public or unsecured Wi-Fi when accessing sensitive accounts.

What to Do If You've Been Targeted

• Immediately change your Microsoft Office 365 password from a secure device.
• Enable or review Two-Factor Authentication settings.
• Inform your contacts not to trust any suspicious emails or requests coming from your compromised account.
• Contact your Internet Service Provider to reset router settings and secure your modem.
• Lodge a complaint with the National Cyber Crime Reporting Portal at cybercrime.gov.in.
• Call the CERT-In Cybercrime Helpline at 1930 for guidance and urgent assistance.
• Notify your bank or UPI provider if you suspect your email is linked to fraudulent payment requests.

Frequently Asked Questions

Q: Can hackers steal money directly from my bank accounts using Microsoft Office tokens?
A: Not directly. However, they can access your emails to perform phishing or social engineering to trick you or your contacts into making fraudulent UPI payments. Watch out for suspicious payment requests.

Q: How do I know if my router firmware is outdated?
A: Log into your router’s admin console via its IP address (like 192.168.1.1), check the firmware version, and compare it with the latest version listed on the manufacturer’s website. Update immediately if outdated.

Q: Will antivirus software detect this router DNS hack?
A: Usually not, because this scam doesn’t rely on malware installation. It manipulates DNS routing silently, so protecting your router and verifying DNS settings is crucial.

Stay safe, stay informed! Always verify suspicious messages or websites on BharatSecure.app — India’s trusted platform to protect against cyber scams.