State-backed Russian hackers quietly harvested Microsoft Office authentication tokens from more than 18,000 business networks by exploiting known vulnerabilities in old routers — no malware required. If your office still runs routers with firmware that hasn’t been updated, your Microsoft 365 accounts may already be exposed.
what is a network security audit
What Happened: 18,000 Networks, Zero Malware
Security researcher Brian Krebs reported this week that Russian military intelligence units — linked to GRU-affiliated threat groups — ran a campaign specifically targeting businesses still operating legacy router hardware. The technique exploited firmware-level vulnerabilities present in older models from multiple manufacturers.
What makes this attack unusual — and particularly dangerous — is the method. The attackers did not deploy ransomware, did not phish individual employees, and did not install any software on victim systems. Instead, they leveraged architectural weaknesses in outdated router firmware that caused the devices to leak Microsoft Office session tokens: the cryptographic keys that prove a user is already authenticated.
Once an attacker holds your authentication token, they don’t need your password. They can access your Microsoft 365 email, SharePoint files, Teams conversations, and OneDrive storage — silently, from anywhere in the world.
The scale — 18,000 networks — tells you this was not a targeted espionage operation. It was an indiscriminate sweep, collecting tokens from any business running a vulnerable router.
Why Legacy Routers Are a Business-Level Risk in 2026
Most businesses treat their router as a utility — like a light switch. It works, so nobody touches it. The result is that many offices are running routers with firmware that is two, four, or even eight years out of date. Manufacturers release security patches; those patches never get applied; the vulnerabilities accumulate.
Legacy router models — particularly those released before 2022 — frequently contain unresolved security issues in how they handle session management and traffic inspection. In the Russian campaign, these flaws allowed the devices to expose authentication tokens that passed through the network, even on HTTPS-encrypted traffic in some configurations.
According to Krebs’s reporting, no CVE identifier was cited for this specific attack vector, which suggests the exploit may be targeting multiple known weaknesses in combination rather than a single, catalogued flaw. This is significant: it means there is no single patch to apply. The fix is firmware updates across your entire router fleet — or replacement of devices that no longer receive manufacturer support.
The Business Impact of Stolen Authentication Tokens
Authentication token theft is categorically worse than password theft for one reason: tokens typically bypass multi-factor authentication. When you log into Microsoft 365, MFA challenges your password and then issues a token confirming your identity. If an attacker steals that token before it expires, they skip the MFA step entirely and access your account as if they were you.
For a typical small or midsize business, this translates directly to:
Email access. Attackers can read, forward, and delete your email — including vendor invoices, client communications, and internal financial discussions — without triggering standard security alerts.
File access. SharePoint and OneDrive files become readable and downloadable. If your business stores contracts, HR records, or client data in Microsoft 365, that data is now in hostile hands.
Teams infiltration. Attackers inside Teams can observe active projects, manipulate shared documents, and in some configurations send messages as the compromised user.
Credential pivoting. From a compromised Microsoft 365 account, attackers can often request password resets for connected services, expanding access beyond the initial token theft.
The regulatory implications compound the risk. Under GDPR, unauthorized access to personal data stored in Microsoft 365 triggers mandatory breach notification requirements, regardless of whether the business detected the intrusion. HIPAA-covered entities face similar obligations. A stolen token that goes undetected for weeks is not a minor IT issue — it’s a reportable breach.
GDPR breach notification requirements for small business
What To Do Right Now
1. Audit your router inventory today. Identify every router, access point, and network switch on your business premises. Document the manufacturer, model, and current firmware version. If you don’t know the firmware version, assume it’s outdated.
2. Apply firmware updates within 24 hours. Go to the manufacturer’s support page for each device and download the latest firmware. Most modern routers allow updates through a web-based management interface. Priority devices: any router with internet-facing management access, all office perimeter routers, and any devices purchased before 2022.
3. Retire unsupported hardware. If a router’s manufacturer no longer releases firmware updates, it is a liability. No patch will protect it. Replace it. Modern business-grade routers from Cisco, Fortinet, or Ubiquiti cost between $150 and $800 for most SMB deployments — far less than the cost of a breach investigation.
4. Enforce short token expiration in Microsoft 365. In the Microsoft Entra (Azure Active Directory) admin center, reduce session token lifetime from the default to 1–4 hours. This limits the window an attacker has to use a stolen token. Combined with Conditional Access policies, this significantly raises the cost of token-based attacks.
5. Enable Continuous Access Evaluation (CAE). Microsoft’s CAE feature allows 365 services to revoke sessions in near real-time when a risk signal is detected. Enable it in your Entra admin settings. It won’t stop token theft at the router level, but it reduces the damage window significantly.
6. Segment your network. Separate the network segment that routes Microsoft 365 traffic from other internal traffic. If a legacy router must remain in use temporarily, ensure it handles only non-sensitive traffic while you arrange replacement.
business network segmentation guide
The essentials
- Russian state-backed hackers hit 18,000+ business networks by exploiting firmware flaws in legacy routers — without using malware
- The attack stole Microsoft Office authentication tokens, which bypass MFA and provide full account access
- Any business running routers with outdated firmware is potentially exposed right now
- The fix requires firmware audits, updates or hardware replacement, and Microsoft 365 session hardening
- This was an indiscriminate sweep, not targeted espionage — SMBs are equally at risk as large enterprises
Questions answered
What is an authentication token and why is stealing one so dangerous?
An authentication token is a digital credential issued after a successful login — it tells services like Microsoft 365 that you’ve already verified your identity. Stealing a token allows an attacker to impersonate you without knowing your password or passing MFA. Tokens are typically valid for hours or days, giving attackers extended access to your accounts.
How do I know if my router is vulnerable to this type of attack?
Check your router manufacturer’s website for security advisories and the current firmware version for your model. If your router hasn’t received a firmware update in over 12 months, treat it as potentially vulnerable. Running a network security scan — like the free assessment at DefendMyBusiness.com — can identify exposed devices and outdated configurations on your network.
Should I be concerned if I use Microsoft 365 for my small business?
Yes. This campaign specifically targeted Microsoft Office users because of how widely the platform is used. If your business uses 365 for email, Teams, or file storage, and your network routes that traffic through a legacy router, your session tokens may have been exposed. Applying the steps above significantly reduces your risk.
What’s the difference between this attack and a regular phishing attack?
A phishing attack tricks an employee into handing over credentials or clicking a malicious link. This attack is passive — it exploited router infrastructure to collect tokens without any employee action required. No suspicious email, no suspicious link. This is why standard security awareness training alone doesn’t prevent it.
How much does it cost to fix this?
For most SMBs, firmware updates are free — just time and access to the router management interface. If routers need replacing, business-grade hardware typically costs $150–$800 per unit. Professional network security assessments range from $500–$2,500. A data breach in the US costs an average of $4.4 million. The math is straightforward.
Free security scan:
Run a free assessment at DefendMyBusiness.com to identify outdated network devices, exposed credentials, and security gaps on your business network. Results delivered in minutes.
Recommended Email Security Vendors
DefendMyBusiness partners with a curated network of 400+ vetted providers. Four currently active in our ecosystem for email security:
Unisys
Unisys is a global technology solutions company that powers breakthroughs for the world’s leading organizations. Our solutions & digital workplace; cloud, applications & infrastructure; enterprise
Convergia
Convergia is the PanAmerican Value-Added Distributor of Connectivity Solutions, founded in Santiago de Chile and Montreal, Canada in 1998. Convergia serves as an aggregator of the largest PanAmerican
CBTS
In the channel, CBTS has become the go-to provider for complex and unique requests, multi-location projects, mission-critical networking and voice problems, cloud migrations, and managed security serv
Powernet
Powernet is a Woman-Owned business with more than 30 years of experience and expert sales, engineering, and support teams, which provide our clients with unparalleled service and the innovative techno
Unsure which fits your business? We’ll match you with three in 24 hours, no obligation.
Keep going
Book a free 20-minute call
We will map out your options and pull three matched email security providers from our 400+ vendor network. No obligation, no newsletter drip — one call, clear direction.
