Krebs on Security is a cybersecurity blog authored by Brian Krebs, an investigative journalist and cybersecurity expert. With a focus on cybercrime, hacking incidents, and data breaches, Krebs on Security provides  analysis, investigative reporting, and security research on emerging threats and cybersecurity trends. Developers and security professionals can learn about the latest cybersecurity threats, security best practices, and incident response strategies from Krebs' investigative reporting and expert analysis.

Krebs on Security

Russian military intelligence hackers (APT28/Forest Blizzard/Fancy Bear) exploited known vulnerabilities in end-of-life SOHO routers—primarily MikroTik and TP-Link devices—to hijack DNS settings and intercept Microsoft Office OAuth authentication tokens. At peak activity in December 2025, the campaign ensnared over 18,000 routers across more than 200 organizations and 5,000 consumer devices. By redirecting DNS to attacker-controlled servers, the group performed adversary-in-the-middle attacks on TLS connections, capturing auth tokens post-MFA without deploying any malware. The tactic is notably low-tech but highly effective, and researchers note the group rapidly scaled up this approach after a prior NCSC disclosure forced them to abandon a malware-based method.

Russia Hacked Routers to Steal Microsoft Office Tokens – Krebs on Security