Skip to content
.ca
sign in
4 minhigh

SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks

Russian military intelligence actor Forest Blizzard is compromising vulnerable SOHO routers to alter DNS settings and hijack network traffic. This compromised infrastructure is subsequently used to conduct selective Adversary-in-the-Middle (AiTM) attacks, intercepting TLS connections to steal credentials and sensitive data from targeted organizations.

Sens:24hConf:highAnalyzed:2026-04-07reports

Authors: Microsoft Threat Intelligence

ActorsForest BlizzardStorm-2754Russian military intelligence
Storm-2754SOHO RoutersAitMDNS HijackingForest Blizzard

Source:Microsoft

Key Takeaways

  • Forest Blizzard (Storm-2754) is compromising SOHO routers at scale to conduct DNS hijacking.
  • The actor uses the legitimate dnsmasq utility to forward DNS queries to actor-controlled infrastructure.
  • Follow-on Adversary-in-the-Middle (AiTM) attacks are selectively conducted against high-priority targets to intercept TLS traffic.
  • Over 200 organizations and 5,000 consumer devices have been impacted since at least August 2025.
  • The attack relies on users ignoring invalid TLS certificate warnings to successfully intercept plaintext traffic.

Affected Systems

  • Small office/home office (SOHO) routers
  • Windows endpoints (via inherited DHCP/DNS settings)
  • Microsoft Outlook on the web domains
  • Government servers in Africa

Attack Chain

Forest Blizzard compromises vulnerable SOHO routers and alters their default network configurations to use actor-controlled DNS resolvers via the dnsmasq utility. Endpoint devices on the local network inherit these malicious DNS settings through DHCP. When a user attempts to access targeted services, the malicious resolver directs them to an AiTM server that presents a spoofed, invalid TLS certificate. If the user ignores the certificate warning, the threat actor intercepts the plaintext traffic to collect credentials and sensitive data.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: Yes
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No
  • Platforms: Microsoft Defender XDR, Entra ID Protection

Microsoft provides KQL queries for Defender XDR to hunt for highly suspicious sign-ins and unusual post-compromise mailbox access activities.

Detection Engineering Assessment

EDR Visibility: Medium — EDR on the endpoint can observe the inherited malicious DNS settings and anomalous sign-in behaviors, but lacks direct visibility into the initial SOHO router compromise. Network Visibility: High — Network monitoring can detect anomalous DNS traffic, connections to unknown resolvers, and the presentation of invalid TLS certificates during the AiTM phase. Detection Difficulty: Moderate — While detecting the underlying router compromise is difficult for enterprise defenders, identifying the resulting risky sign-ins or invalid TLS certificates is feasible with proper identity and network monitoring.

Required Log Sources

  • Entra ID Sign-in Logs
  • CloudAppEvents
  • DNS Query Logs
  • Network Traffic Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Users are authenticating from unusual infrastructure or exhibiting risky sign-in behavior due to intercepted credentials.Entra ID Sign-in LogsCredential AccessMedium
Endpoints are querying non-standard or unexpected external DNS resolvers instead of corporate defaults.DNS Query LogsCommand and ControlLow
Unusual search or mail item access patterns are occurring in cloud applications from suspicious IP addresses.CloudAppEventsCollectionMedium

Control Gaps

  • Unmanaged SOHO devices lacking enterprise visibility
  • Users ignoring TLS certificate warnings

Key Behavioral Indicators

  • Unexpected DNS server assignments via DHCP
  • High risk Entra ID sign-ins (RiskLevelAggregated == 100)
  • ActionType 'Search' or 'MailItemsAccessed' from anomalous locations

False Positive Assessment

  • Medium

Recommendations

Immediate Mitigation

  • Enforce Zero Trust DNS (ZTDNS) on Windows endpoints to ensure devices only resolve DNS through trusted servers.
  • Investigate Entra ID risky sign-in reports and risky user reports for signs of compromise.
  • Block known malicious domains and monitor DNS logs for anomalous traffic.

Infrastructure Hardening

  • Centralize identity management and integrate on-premises directories with cloud directories.
  • Implement continuous access evaluation and sign-in risk policies to automate responses to risky sign-ins.
  • Avoid using home router solutions in corporate environments.

User Protection

  • Strictly enforce phishing-resistant MFA and Conditional Access policies, particularly for privileged accounts.
  • Use passwordless solutions like passkeys via the Microsoft Authenticator app.
  • Synchronize user accounts (excluding highly privileged ones) to maintain boundaries between on-premises and cloud environments.

Security Awareness

  • Train users to never ignore TLS certificate errors or warnings.
  • Educate remote and hybrid employees on the risks of insecure home network equipment.

MITRE ATT&CK Mapping

  • T1584.004 - Compromise Infrastructure: Server
  • T1565.002 - Data Manipulation: Transmitted Data Manipulation
  • T1557 - Adversary-in-the-Middle
  • T1040 - Network Sniffing

Related