Navigation section

Forest Blizzard Hijacks SOHO Routers via DNS to Enable AiTM Cloud Espionage

  • Thread Author
Microsoft’s latest threat intelligence report lands on a familiar but still uncomfortable truth: the weakest link in many enterprise security stacks is not the laptop, mailbox, or cloud tenant, but the humble SOHO router sitting at the network edge. In this campaign, the Russian military-linked actor Forest Blizzard and its sub-group Storm-2754 reportedly compromised small-office and home-office devices, rewired DNS settings, and used that position to support adversary-in-the-middle interception against selected targets. The result is a campaign that combines low-cost access, high-scale visibility, and an unusually effective path from consumer-grade infrastructure to enterprise espionage. Microsoft says the activity has affected more than 200 organizations and 5,000 consumer devices, while emphasizing that it did not observe compromise of Microsoft-owned assets or services.

A digital visualization related to the article topic.Background​

The new Microsoft report matters because it shows how an old tactic can be re-engineered for a modern cloud-first world. DNS hijacking has long been a favorite of espionage groups and financially motivated criminals because it sits below the application layer and can quietly redirect traffic without changing what users think they typed. What makes this case different is the combination of scale, patience, and selective escalation: Forest Blizzard appears to have used compromised routers not just as a passive vantage point, but as a staging ground for targeted interception against high-value web sessions.
That pattern reflects a broader evolution in Russian cyber operations. Over the last several years, Microsoft and other defenders have repeatedly described Forest Blizzard as a state-aligned espionage actor that blends opportunistic access with intelligence collection. The group’s activity has historically included credential theft, stealthy persistence, and post-compromise tooling. The significance of the new campaign is not that routers are a novel target, but that they are being used as infrastructure for influence over traffic rather than merely as stepping stones into a single network.
Microsoft also situates the campaign in a larger security trend: attackers are increasingly attacking the path to cloud services rather than the services themselves. That is especially consequential in hybrid and remote work environments, where an employee may authenticate to Microsoft 365 from a home network that is outside the organization’s direct control. If the home router is compromised, the enterprise can inherit risk even when the tenant, identity provider, and endpoint are all comparatively hardened.
The company’s report is therefore about more than a single actor. It is an argument that defenders need to treat unmanaged edge equipment as part of the attack surface, especially when it influences DNS, certificate validation, and routing. That is a difficult message for organizations that still think in terms of corporate perimeter versus personal network, because the perimeter has already dissolved into a mesh of home broadband, cloud apps, and identity-based access.
It is also notable that Microsoft frames the activity as a mix of passive reconnaissance and selective adversary-in-the-middle follow-on operations. That distinction matters because passive visibility at scale can help an actor identify promising targets, while active interception can then be reserved for the accounts and domains that matter most. In other words, the router compromise is not just a one-time intrusion; it is a machine for prioritizing espionage.

Why this report is different​

The report is not simply warning about router malware or weak passwords. It is describing a chain in which network infrastructure is repurposed into a malicious DNS layer that can observe and sometimes alter user traffic. That makes the campaign more efficient than pure phishing and more durable than single-host compromise, because it sits in a position that many organizations never inventory.
  • It leverages insecure SOHO devices rather than hardened enterprise systems.
  • It turns DNS into a surveillance and redirection layer.
  • It creates the potential for TLS interception if certificate warnings are ignored.
  • It can affect users outside the corporate network, including remote workers.
  • It provides scale, but still allows targeted follow-on action.

The Attack Surface: Why SOHO Routers Matter​

SOHO routers are attractive targets because they are plentiful, under-monitored, and often managed with inconsistent discipline. In many homes and micro-offices, the router is configured once and then forgotten, even though it has an outsized influence on every device behind it. That makes it a perfect compromise point for attackers who want to influence traffic without maintaining persistence on each endpoint individually.
A compromised router can alter DNS settings, proxy requests, and expose metadata about what users are trying to reach. Because DNS is foundational, even a modest intrusion can create broad downstream effects. If a router is trusted by laptops, phones, tablets, and printers alike, then one device compromise can become a network-wide compromise of name resolution.
Microsoft’s framing also reinforces a less comfortable reality: many organizations do not actually own the first hop their employees use to reach work. A remote user’s home broadband connection may be outside IT’s control, but it can still mediate access to cloud apps and identity systems. That is why this class of attack can bypass traditional enterprise controls without defeating them.

From forgotten appliance to espionage gateway​

A SOHO router is not normally considered strategic infrastructure. But when an actor can manipulate it, the device becomes a choke point for all downstream activity. That makes the compromise disproportionately valuable, especially when the goal is to observe authentication flows, service access, and user behavior over time.
  • Home routers often run lightweight services that are easy to abuse.
  • Firmware patching is inconsistent across vendors and models.
  • Default credentials and weak admin exposure remain common.
  • Many users lack visibility into DNS configuration changes.
  • The device sits upstream of all connected endpoints.
The intelligence value comes from that leverage. Instead of attacking one mailbox at a time, the actor can watch the traffic that leads to many mailboxes, many tokens, and many sessions. That is a more scalable espionage model, and it aligns with the priorities of a state actor seeking persistence and collection.

Why edge compromise is operationally efficient​

Attackers prefer the edge because it is comparatively quiet. Endpoint defenses are better at detecting malware on laptops than at detecting a DNS server quietly answering queries incorrectly. Network perimeter security also tends to focus on corporate firewalls and cloud gateways, not on the home gateway of every employee.
That asymmetry gives the attacker a favorable risk-reward balance. The work required to compromise a consumer router can be modest compared with the intelligence yield. Once a device is modified, it can remain useful for a long time, particularly if the owner never checks the DNS settings or firmware health.

How the Campaign Works​

Microsoft describes an attack chain that begins with compromise of vulnerable SOHO devices and ends with actor-controlled DNS resolution. The first step is access to the router or edge device, followed by changes to its default network settings so connected devices begin using attacker-controlled DNS resolvers. Once that happens, every DNS query becomes an opportunity for monitoring, manipulation, or both.
The cleverness of the campaign lies in what happens next. In many cases, DNS queries are transparently proxied so the victim still reaches the legitimate destination. That preserves normalcy and reduces suspicion. But Microsoft says Forest Blizzard also used targeted spoofing for selected domains, forcing victims toward infrastructure that could present an invalid TLS certificate and position the actor between user and service.
That is the point at which surveillance becomes AiTM. If a user proceeds despite the certificate warning, the attacker can intercept plaintext traffic inside the TLS session. The combination of DNS redirection and TLS interception is especially dangerous because it can expose credentials, session data, and cloud content while appearing to be a normal browsing problem or certificate glitch.

DNS hijacking versus full traffic redirection​

Not every DNS hijack results in a visibly broken user experience. In fact, the most effective campaigns try to make everything look normal. Microsoft says the actor often proxied requests through malicious infrastructure while still connecting victims to legitimate endpoints, which is a classic stealth tactic. The goal is not loud disruption; it is quiet control.
  • Most queries were reportedly proxied transparently.
  • A smaller subset was spoofed for selected domains.
  • The spoofing enabled active interception opportunities.
  • Invalid certificates could trigger a warning, but not always a stop.
  • The campaign favored stealth over immediate fraud.
This matters because defenders may miss the attack if they only look for outages or obvious redirections. A user who reaches the right site may still have been observed, fingerprinted, or selectively diverted during the path.

The role of TLS and certificate warnings​

TLS is often treated as a shield against man-in-the-middle threats, but that assumption depends on users and devices refusing invalid certificates. In practice, some users click through warnings, and some environments do not handle certificate anomalies with enough rigor. Attackers exploit that gap.
Microsoft’s report suggests that Forest Blizzard capitalized on precisely that human and procedural weakness. If a domain was selected for active interception, a spoofed endpoint could present a fake but believable connection flow until the certificate warning became the only visible clue. That means user training, endpoint enforcement, and certificate hygiene all become relevant parts of the defense.

Why selective targeting is so effective​

The actor does not need to intercept every session to gain value. A small number of targeted interceptions can deliver intelligence on a government official, an IT administrator, or a telecom employee with outsized strategic worth. The rest of the traffic can pass through normally, making the infrastructure seem less suspicious.
That selectivity is what turns a campaign into a long-term asset. It allows the adversary to preserve access, avoid unnecessary noise, and reserve active exploitation for the moments that matter most. In espionage terms, that is efficient patience.

Forest Blizzard’s Strategic Goals​

Forest Blizzard has long been associated with Russian government intelligence objectives, and the new campaign fits that profile. Microsoft says the actor primarily collects intelligence in support of Russian foreign policy priorities, with sectors such as government, IT, telecommunications, and energy remaining typical targets. The router campaign extends that mission by broadening the actor’s visibility into cloud-based communications and remote access.
What is strategically significant is not just the collection itself, but the placement. By operating upstream of the target, the actor can observe identities, destinations, and access patterns before a defender ever sees the session. That can help the actor prioritize victims, map dependencies, and choose where to apply higher-risk activities.
This also suggests a maturation in adversary tradecraft. Rather than burning a phishing kit or malware implant directly against the final target, Forest Blizzard appears to be using infrastructure compromise to create a reusable collection layer. That is a better fit for long-horizon intelligence operations, where stealth and durability matter more than speed.

Intelligence collection at infrastructure depth​

A router-based foothold can reveal more than one account or one application. It can expose patterns of service use across entire households or offices, including when users access work email, which domains are contacted, and how often the same endpoints recur. That is enough to support both tactical targeting and strategic profiling.
  • It can expose network traffic metadata at scale.
  • It can identify high-value cloud services.
  • It can reveal user habits and login timing.
  • It can help select targets for deeper interception.
  • It can support follow-on credential theft.
Because the device is upstream, the attacker can learn before the endpoint’s own logs or security tools do. That makes detection harder and response slower.

Why Microsoft calls out Outlook on the web​

Microsoft says it observed follow-on AiTM operations against domains associated with Outlook on the web. That is an important detail because email remains one of the most valuable services in any enterprise. If a threat actor can access a user’s webmail or session contents, it may obtain messages, attachments, contacts, and the context needed for further compromise.
The report’s focus on Outlook on the web also underscores how cloud identity has become inseparable from email security. The same credentials that unlock email can also unlock collaboration platforms, document stores, and admin portals. Once an attacker is positioned in the path, the blast radius can extend well beyond one inbox.

The importance of regional and sector targeting​

Microsoft says it identified separate AiTM activity against government organizations in Africa, and the actor’s broader targeting has included government and critical sectors globally. That geographic spread matters because it suggests the campaign is not merely opportunistic crimeware. It is consistent with a state intelligence operation willing to pursue specific sectors in specific regions.
This is also a reminder that small-edge compromise can have large geopolitical consequences. A router in a home office may seem unimportant, but if it sits upstream of a diplomatic, governmental, or defense-related user, it becomes part of a strategic collection chain. That is exactly the kind of asymmetry state actors exploit.

What Microsoft Observed​

Microsoft’s report makes several noteworthy claims about scale and impact. It says its telemetry indicated more than 200 organizations and 5,000 consumer devices were affected by the malicious DNS infrastructure, while also stating that Microsoft-owned assets and services were not compromised. Those numbers suggest a campaign with wide operational reach but selective active exploitation.
The other key observation is that the actor did not always move from DNS hijacking to AiTM. That matters because it indicates the compromise can be valuable even without visible credential theft. Passive DNS collection alone can support reconnaissance, victim selection, and future targeting.
Microsoft also says the activity is tied to Forest Blizzard and the subgroup it tracks as Storm-2754. That attribution is important because it places the campaign in a known threat cluster with a history of espionage-oriented behavior, not a one-off intrusion or an unrelated botnet.

Scale without noisy compromise​

One of the most important features of the campaign is that the malicious infrastructure appears to have reached many victims without necessarily causing obvious breakage. That is a hallmark of high-end espionage tradecraft. The attacker wants broad collection, but only the smallest possible visible footprint.
  • More than 200 organizations were impacted.
  • More than 5,000 consumer devices were affected.
  • Microsoft-owned services were not observed as compromised.
  • Not every hijacked device led to AiTM.
  • The actor appears to reserve active interception for priority targets.
That combination of scale and restraint makes the campaign harder to detect through conventional incident triggers. There may be no outage, no malware alert, and no anomalous login until much later.

Why the DNS layer is hard to inspect​

DNS activity is often under-instrumented compared with endpoint or identity logs. Many organizations log only a subset of queries, and home networks may log none at all. When the DNS resolver itself is compromised, the resulting traffic can look legitimate from the user’s perspective even while being manipulated upstream.
This creates a blind spot that spans consumer and enterprise environments. Users may trust the browser because the site loads, and the organization may trust identity telemetry because the login appears successful. The attacker benefits from the gap between those two perceptions.

The role of default routing assumptions​

Many security programs still assume that if the endpoint is clean and the identity provider is strong, the path between them is trustworthy enough. This campaign disproves that assumption. The path can be the compromise.
That is a subtle but important shift for defenders. The question is no longer only whether a device is infected, but whether the infrastructure mediating the connection has been quietly rewritten. For remote work, that can be just as dangerous as a host-based implant.

Detection and Hunting Implications​

Microsoft’s guidance emphasizes that router-level compromise means defenders may need to detect post-compromise behavior rather than initial intrusion. That is an important operational point, because many security teams have no visibility into the home router itself. If the initial compromise lives outside the enterprise boundary, then the first artifact may be a suspicious DNS change, a risky sign-in, or unusual mailbox access.
The report also points defenders toward Entra ID Protection, Microsoft Defender XDR, and cloud app telemetry for identifying signs of account abuse after the attacker is in the path. That is the right direction because an adversary-in-the-middle position can turn into valid-user activity very quickly. Once the attacker has credentials or session data, the activity may look like a legitimate login from a legitimate user.
Detection therefore depends on baselining behavior, correlating identity events, and watching for unexpected query or mailbox access patterns. That is easier said than done, but it is the only practical path when the edge device itself is outside enterprise visibility.

Hunting for DNS tampering​

A suspicious DNS configuration change is one of the earliest signs defenders can actually catch, especially on corporate-managed endpoints that connect through compromised home networks. Microsoft specifically notes that infected SOHO devices led to updates in the default DNS setting on connected Windows machines. That means endpoint configuration telemetry may reveal the effect even if the router is invisible.
  • Look for unusual DNS setting changes on managed endpoints.
  • Compare current DNS resolvers against expected baselines.
  • Check for sudden switches to unknown external resolvers.
  • Investigate devices that align with suspicious sign-in activity.
  • Validate whether changes correspond to legitimate network support actions.
Even then, defenders must remember that resetting DNS does not necessarily undo credential theft. If the actor already harvested sessions or passwords, the identity problem remains.

Watching for risky sign-ins and mailbox behavior​

Microsoft recommends using Entra ID Protection to surface risky sign-ins and risky users. That makes sense because once the attacker has a credential or session token, activity may resemble a successful login from an unusual location or device. A single anomalous sign-in may be enough to trigger a broader review.
Mailbox activity is also relevant. Microsoft notes that search and message access actions in cloud app telemetry can reveal unusual user behavior, especially when a compromised account begins searching or accessing mail in ways that differ from its normal profile. That is where identity, email, and threat intelligence need to be correlated rather than reviewed in isolation.

Why baseline behavior matters​

In an AiTM scenario, the attacker is not impersonating the user in the obvious sense; they may be using valid access that looks routine to logs. That means defenders need context: what did this user usually search for, where did they normally sign in from, and which devices were typical?
That is why baseline modeling is so important. Without it, an attacker can hide inside a legitimate access pattern long enough to search, exfiltrate, and pivot. Normal-looking is not the same as benign.

Enterprise Impact Versus Consumer Risk​

This campaign is unusual because it straddles the divide between enterprise security and consumer networking. On the consumer side, the immediate risk is DNS hijacking, spoofed connectivity, and exposure of everyday browsing or account credentials. On the enterprise side, the risk expands to cloud mail, identity compromise, and the stealthy use of valid user sessions.
That overlap is what makes the story so important for IT leaders. The home network is no longer separate from the corporate security perimeter when employees authenticate to Microsoft 365, Entra ID, or other cloud services from unmanaged environments. A compromised family router can become a corporate incident.
It also means consumer education becomes a security control. Firmware updates, administrative password hygiene, and DNS integrity checks are no longer just “best practices” for hobbyists; they are upstream risk reductions for the modern enterprise. In a hybrid workforce, the two domains are inseparable.

Consumer exposure is the entry point​

For home users, the threat may manifest as wrong DNS resolution, browser warnings, or odd certificate prompts. Many users will not know to check the router’s WAN and LAN DNS settings, much less understand the implications of a spoofed resolver. That creates a durable pool of exposed devices.
  • Compromised routers can affect all devices on the home network.
  • DNS changes are easy for users to miss.
  • Certificate warnings are frequently ignored.
  • Consumer incidents can become work incidents.
  • Small-office environments often have minimal security staffing.
The problem is amplified when the same network is used for both personal and professional activities. A user may think they are simply checking email, while the attacker is evaluating whether the connection is worth active interception.

Enterprise risk emerges from unmanaged edges​

Enterprises can harden their own infrastructure and still be exposed by the devices employees use at home. That is especially true where IT cannot manage the router, cannot verify DNS settings, and cannot inspect the upstream path. If a remote employee authenticates through a compromised router, the enterprise may see only a clean login.
This is why conditional access, device trust, and risky sign-in detection are necessary but not sufficient. They help, but they do not fully solve the edge problem. Organizations still need a way to reason about unmanaged infrastructure.

Why cloud services are especially vulnerable to this class of attack​

Cloud services centralize value, which is good for defense, but they also create a high-payoff target for intercepting sessions. If an attacker can steal one webmail session, they may obtain enough information to move into collaboration platforms, file sharing, or admin functions. The cloud becomes the prize, but the path to it runs through the edge.
That is why this campaign is such a strong reminder that identity security and network security are converging. The router, the resolver, and the token are now part of the same threat chain.

Mitigation Priorities​

Microsoft’s recommended defenses are sensible because they reduce both the chance of router compromise and the damage after compromise. The first priority is to secure or replace vulnerable SOHO devices, especially those in employee homes or small offices. The second is to harden identity and browser behavior so that DNS manipulation does not automatically become session theft.
The practical challenge is that many organizations have limited authority over employee-owned equipment. That means mitigation has to combine technical guidance, user education, and identity controls. Security teams should assume that some portion of the fleet will remain unmanaged and design accordingly.
The best strategy is to layer prevention, detection, and recovery. No single control is sufficient if the attacker can manipulate the network path itself. Defense in depth is not a slogan here; it is the only workable model.

Router and DNS hygiene​

The first step is reducing exposure at the device level. That includes patching firmware, changing default credentials, and checking for unauthorized DNS configuration changes. In some cases, the safest path may be replacing unsupported hardware altogether.
  • Update router firmware promptly.
  • Replace unsupported or end-of-life devices.
  • Use strong, unique admin passwords.
  • Disable remote administration if not required.
  • Verify DNS settings regularly.
Organizations with remote workers should also provide a simple validation process for checking the home router’s DNS resolver and network settings. If employees do not know what “normal” looks like, they cannot spot tampering.

Identity and session protection​

Because the attack can end in valid-user access, identity security becomes critical. Conditional access, strong MFA, phishing-resistant authentication, and risk-based access decisions reduce the chance that stolen credentials or sessions become durable access. Just as important, certificate warnings should not be treated casually.
  • Enforce strong MFA and prefer phishing-resistant methods.
  • Block or investigate logins with unusual geolocation.
  • Alert on risky sign-ins and risky users.
  • Review mailbox search and access anomalies.
  • Reauthenticate privileged accounts more aggressively.
Organizations should also assume that a compromised session may outlive the initial DNS issue. Resetting a router is not enough if the attacker already captured a token or password.

User behavior and browser warnings​

Users are often the last line of defense, but only if they are taught what matters. A certificate warning during Microsoft 365 access should never be dismissed automatically. If a user encounters one, it should trigger immediate security review, not a routine “proceed anyway” instinct.
This is especially relevant for employees who access work resources from home. They need to understand that a browser warning can mean the network path is compromised, not merely that the site is “having issues.” That distinction can prevent a credential loss from becoming a full account takeover.

Microsoft’s Positioning in the Security Ecosystem​

The report also serves a second purpose: it reinforces Microsoft’s broader security narrative around integrated telemetry. The company is clearly emphasizing the value of Microsoft Defender XDR, Entra ID Protection, and Security Copilot as a connected set of tools for investigating campaigns that cross device, identity, email, and cloud application layers. That is not accidental; it is part of Microsoft’s pitch that modern threats require correlated defense.
This matters because the attack described here does not sit neatly in one product domain. It spans routers, Windows endpoints, identity events, cloud mail, and threat analytics. A fragmented security stack could easily miss the chain, while an integrated platform may surface it faster.
At the same time, defenders should recognize the strategic subtext. Microsoft is using this campaign to illustrate that the most dangerous attacks today are often not the ones that break into the cloud, but the ones that compromise the path to the cloud. That is a compelling argument for telemetry integration, and an equally compelling argument for independent validation of network assumptions.

Why the platform narrative matters​

Microsoft’s suggestions around Defender alerts, Entra reports, and Security Copilot promptbooks indicate a response model that depends on cross-signal analysis. In practice, that means the organization’s best chance of noticing the attack may come from combining multiple weak signals into one strong case.
  • Endpoint alerts may show suspicious DNS changes.
  • Identity reports may show risky sign-ins.
  • Cloud app logs may show unusual mailbox access.
  • Threat analytics may reveal actor-linked patterns.
  • Analyst tooling can help stitch those signals together.
That cross-correlation is the real message: the attack is multi-layered, so the defense must be multi-layered too.

The broader market implication​

Other vendors face the same challenge. If routers and home networks are part of the attack chain, then endpoint-only and identity-only tools will never have full coverage. That creates a market incentive for tighter integration between network security, identity security, and endpoint telemetry. The vendors that can correlate those layers will have the strongest story.
For enterprises, this is a reminder to pressure security stacks for visibility that extends beyond managed laptops and into the connection path. If the platform cannot tell you when a home resolver changes, then it may not be enough for a cloud-first workforce.

Strengths and Opportunities​

This campaign also highlights several opportunities for defenders, because the same visibility that attackers exploit can become a source of detection and resilience when organizations take the edge seriously. The good news is that many of the controls are already available; the challenge is operationalizing them consistently across managed and unmanaged environments.
  • Stronger DNS monitoring can expose tampering early.
  • Risk-based identity controls can limit stolen session reuse.
  • User training can reduce certificate-warning clicks.
  • Firmware governance can shrink the vulnerable SOHO pool.
  • Better telemetry correlation can shorten investigation time.
  • Remote-work security programs can include home-network hygiene.
  • Cloud apps and identity logs can provide post-compromise clues.
The biggest opportunity is to treat unmanaged infrastructure as a first-class security problem rather than an inconvenience. Once that mental shift occurs, the organization can build practical controls around it.

Risks and Concerns​

The risks here are substantial because the attack chain is subtle, cross-domain, and difficult to fully observe from inside the enterprise. The worst-case scenario is not just one hijacked session, but a sustained collection position that lets the actor quietly harvest content and selectively deepen access.
  • Home routers may remain unpatched for long periods.
  • Users may ignore invalid certificate warnings.
  • Valid-user activity can look normal in logs.
  • Compromised DNS can conceal malicious routing.
  • Identity recovery may lag behind router cleanup.
  • Remote workers create a large unmanaged attack surface.
  • Selective interception can evade broad detection.
The concern is not merely that the attack is technically sophisticated. It is that the attack model aligns perfectly with modern hybrid work, where the boundary between consumer and enterprise trust has become porous.

Looking Ahead​

The next phase of this story will likely be about whether other actors copy the model. DNS hijacking from compromised edge devices is an appealing playbook because it scales well, survives endpoint hardening, and offers multiple ways to monetize or operationalize access. If Forest Blizzard has shown that router compromise can support selective AiTM against cloud services, other state-aligned groups will notice.
Defenders should also expect more focus on home-network risk in enterprise guidance. That may include stronger employee education, more aggressive detection of unusual DNS changes, and better integration between identity alerts and network anomalies. The attack has made one thing clear: the first trusted device in the chain may no longer be trusted at all.

What security teams should watch​

  • Firmware and support status of employee-facing routers.
  • DNS resolver changes on managed laptops and endpoints.
  • Risky sign-ins tied to unusual home-network behavior.
  • Certificate warnings during access to corporate cloud apps.
  • Unusual mailbox search and message access patterns.
  • Threat intel updates on Forest Blizzard and Storm-2754.
  • Correlated identity and network anomalies across remote users.
The most important takeaway is that this campaign is not just about routers. It is about how an attacker can turn ordinary connectivity into a surveillance platform and then use that platform to reach the cloud. That is a structural problem, not a one-off incident.
The lesson for security leaders is clear: if the path to the tenant can be manipulated, then the tenant is only as safe as the weakest upstream device. Forest Blizzard’s campaign is a reminder that espionage increasingly begins not with a login prompt, but with a quiet change to the network beneath it.
Source: Microsoft SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks | Microsoft Security Blog
 

Click to expand...
You must log in or register to reply here.
Back
Top