13th April 2026

Russian State Hackers Are Silently Stealing Microsoft 365 Tokens Through Your Router

If your organisation uses Microsoft 365 — and the vast majority of UK businesses do — this week brought a stark reminder of just how creative and patient state-backed threat actors can be. Russian military intelligence hackers have been quietly raiding authentication tokens from tens of thousands of business networks, and they did it without installing a single piece of malware.

It has been another busy week in cybersecurity. Alongside the router attack story, a trusted software download site was compromised to distribute remote access trojans, and Adobe rushed out an emergency patch for a critical Acrobat Reader flaw already being exploited in the wild. Here is what every UK business should know.

Russia’s Forest Blizzard: Stealing Microsoft 365 Tokens at Scale

Researchers at Black Lotus Labs (a security division of internet backbone provider Lumen) and Microsoft’s own threat intelligence team have this week exposed a sophisticated campaign by a Russia-linked group known as Forest Blizzard — also tracked as APT28 and Fancy Bear, and attributed to Russia’s GRU military intelligence directorate.

The group’s method was deceptively simple: rather than deploying malware directly onto victim machines, they compromised end-of-life and unpatched internet routers — including popular small business models from TP-Link and MikroTik — and turned them into silent surveillance platforms. At the campaign’s peak in December 2025, the group had ensnared more than 18,000 routers across the globe.

Once inside a compromised router, Forest Blizzard redirected DNS traffic in a technique known as an adversary-in-the-middle (AitM) attack. When employees on the network authenticated to Microsoft 365, their authentication tokens were quietly harvested — intercepted before they ever reached Microsoft’s servers. No malware on the endpoint. No alerts from traditional antivirus. Just silent, persistent access.

Microsoft confirmed that over 200 organisations and 5,000 consumer devices were caught up in the campaign, with primary targets including government ministries, law enforcement agencies, and third-party email providers. However, given the scale of router compromise, any organisation behind an unpatched router is a potential victim.

What This Means for UK Businesses

This attack is a masterclass in why endpoint security alone is no longer sufficient. If your router is compromised, all the endpoint protection in the world will not stop your Microsoft 365 credentials being stolen at the network level.

The immediate actions every business should take:

  • Audit your routers immediately. If you are running end-of-life hardware — particularly older TP-Link or MikroTik models — replace or upgrade urgently.
  • Enable Microsoft 365 Conditional Access. Token theft is far less valuable when access requires device compliance checks or location-based policies.
  • Enforce phishing-resistant MFA. FIDO2/hardware keys or Microsoft Authenticator’s number matching make stolen tokens significantly harder to abuse.
  • Monitor for token anomalies. Impossible travel alerts and unusual sign-in patterns in Microsoft Entra ID (Azure AD) audit logs can surface token misuse.

Our partners at Huntress provide 24/7 managed threat detection that includes Microsoft 365 monitoring — precisely the kind of coverage that would surface anomalous token activity that static tools miss. If you are not actively monitoring your cloud identity layer, now is the time to start.

Supply Chain Attack: CPU-Z and HWMonitor Downloads Weaponised

In a separate incident this week, the popular hardware monitoring website CPUID.com — home to widely-used tools including CPU-Z, HWMonitor, and HWMonitor Pro — was compromised by unknown threat actors for a window of less than 24 hours between 9th and 10th April 2026.

During that window, visitors who downloaded any of the affected tools received trojanised executables bundled with a remote access trojan called STX RAT. The malware grants attackers persistent, full remote access to infected machines.

This is a textbook supply chain attack — targeting trusted software distribution channels to reach end users who have no reason to suspect the download is malicious. CPUID’s tools are particularly popular with IT professionals and technically savvy users, making this a worrying pivot towards targeting people who are generally harder to phish.

Action required: If anyone in your organisation downloaded CPU-Z, HWMonitor, HWMonitor Pro, or PerfMonitor between approximately 15:00 UTC on 9th April and 10:00 UTC on 10th April 2026, treat those machines as compromised and initiate your incident response process immediately. This is exactly the scenario where Lima Charlie‘s managed detection and response capability shines — catching the post-compromise behaviour that signature-based tools miss.

Adobe Acrobat Reader: Emergency Patch for Actively Exploited Flaw

Adobe has issued an emergency out-of-band update this week to address CVE-2026-34621, a critical vulnerability in Acrobat Reader carrying a CVSS score of 8.6 out of 10. The flaw allows an attacker to execute arbitrary malicious code on any vulnerable installation — and it is already being actively exploited in the wild.

PDF readers are ubiquitous in business environments, and Acrobat Reader is installed on millions of Windows and macOS machines worldwide. A maliciously crafted PDF — delivered via email, a compromised website, or a shared document — is all it takes to trigger exploitation.

Patch immediately. Adobe’s update is available now through the application’s built-in updater or via Adobe’s download centre. This should be treated as a critical priority patch, not something to schedule for next month’s maintenance window.

The Bigger Picture: Patch Management Is Your First Line of Defence

Looking across this week’s threats, a common thread emerges: unpatched, neglected, or end-of-life software and hardware is the entry point. Forest Blizzard exploited routers that organisations had simply forgotten about. The Adobe flaw will hit businesses running outdated PDF readers. The CPUID attack targeted users who trusted a known source — but the reality is that supply chain hygiene matters too.

Effective cyber security in 2026 is not about having a single silver-bullet product. It is about layered defences: keeping everything patched, monitoring your Microsoft 365 environment actively, having eyes on your endpoints around the clock, and knowing what “normal” looks like on your network so that anomalies stand out.

At Just Cyber Security, we work with UK businesses to build exactly that kind of layered posture — combining Huntress for managed endpoint and identity threat detection, and Lima Charlie for extended detection and response across your environment.

If this week’s headlines have prompted questions about your own organisation’s exposure, get in touch with our team. A free security review is the first step towards knowing where you actually stand.

This Week in Brief

  • 🇷🇺 Forest Blizzard (APT28/Fancy Bear) compromised 18,000+ routers to steal Microsoft 365 authentication tokens via DNS hijacking — no malware deployed. Source: Krebs on Security / Lumen Black Lotus Labs
  • 💀 CPUID supply chain attack: CPU-Z and HWMonitor downloads were trojanised with STX RAT for ~19 hours on 9–10 April. Source: The Hacker News / BleepingComputer
  • 🚨 Adobe Acrobat Reader CVE-2026-34621 (CVSS 8.6) is being actively exploited — emergency patch available now. Source: The Hacker News
  • 🌐 Marimo pre-auth RCE flaw now under active exploitation for credential theft. Source: BleepingComputer
  • 🔒 Google Chrome 146 rolls out Device Bound Session Credentials (DBSC) to all Windows users, protecting against session cookie theft. Source: The Hacker News

Stay ahead of the threat landscape — subscribe to the JCS blog for weekly security briefings tailored to UK businesses.