Passive Token Harvesting: The Router Mass-Heist & Token Theft

Hey everyone, just caught the latest KrebsOnSecurity report regarding the Russian military intelligence campaign targeting routers. It’s a textbook "Living off the Land" scenario that should have us all worried. Instead of dropping malware on endpoints, they are leveraging known vulnerabilities in end-of-life SOHO and SMB routers to harvest Microsoft 365 authentication tokens.

What is particularly alarming is the scale: over 18,000 networks affected. By altering routing tables or DNS settings on these neglected devices, actors are performing a Man-in-the-Middle (MitM) attack to siphon OAuth tokens without ever touching the disk.

The Technical Breakdown:

• Vector: Auth bypass and configuration modification on older firmware (typically devices unpatched since 2018-2020).
• Target: Active Directory Federation Services (ADFS) traffic and direct M365 logins.
• Mechanism: Passively capturing RefreshTokens or AccessTokens passed during authentication.

Since there is no malware on the endpoint, your EDR is essentially blind here. Detection has to happen at the identity or network layer.

Here is a KQL query for Sentinel to help identify potential sign-ins originating from anomalous locations that might indicate this kind of router interference:

SigninLogs
| where ResultDescription == "Success"
| extend DeviceDetail = parse_(DeviceDetail)
| extend Browser = DeviceDetail.browser, OS = DeviceDetail.operatingSystem
| project TimeGenerated, UserPrincipalName, AppDisplayName, Location, Browser, OS, DeviceId, RiskDetail
| where RiskDetail has "detected" or Location !contains "Office"
| summarize count() by UserPrincipalName, Location, bin(TimeGenerated, 1h)
| where count_ > 3

Given that these routers are often in home offices or small branch locations, how are you guys handling legacy equipment? Are you enforcing stricter Conditional Access Policies, or do we need to start blocking authentication attempts from known consumer-grade ISP ranges?