GRU-Linked Router Exploitation Harvesting Microsoft 365 Authentication Tokens

Indicators

• Unexpected Microsoft 365 sign-ins from unfamiliar IPs or geographies
• Active OAuth tokens or sessions originating from suspicious or foreign IP space
• Mailbox access (MailItemsAccessed) without corresponding interactive user logon
• Anomalous outbound traffic from edge routers to unknown external endpoints
• Edge routers running outdated/end-of-life firmware with known unpatched CVEs
• Unauthorized configuration changes on perimeter routers (admin accounts, DNS, port forwards)
• Token replay or impossible-travel events in Entra ID sign-in logs

Likely causes

• Internet-facing routers running outdated, end-of-life, or unpatched firmware
• Default or weak administrative credentials on perimeter routers with WAN management exposed
• Exploitation of known router CVEs allowing remote code execution or traffic interception
• Lack of token binding, device compliance, or Continuous Access Evaluation in Microsoft 365
• No network segmentation between edge devices and authentication traffic flows

Diagnostic steps

1. Inventory all internet-facing routers; capture make, model, firmware version, and end-of-support status.
2. Cross-reference router firmware against vendor advisories and the CISA KEV catalog for known exploited CVEs.
3. Review router logs and configuration for unauthorized admin accounts, modified DNS settings, suspicious port forwarding, or unexpected tunnels.
4. In Microsoft Entra ID, audit sign-in logs for anomalous IPs, impossible travel, and token replay using the Entra portal or Get-MgAuditLogSignIn.
5. Query the Microsoft 365 Unified Audit Log for MailItemsAccessed, OAuth consent grants, and inbox rule creation from unfamiliar source IPs.
6. Identify users authenticating from behind affected routers and flag accounts for token revocation and credential reset.
7. Capture and inspect perimeter traffic to detect TLS interception, proxy redirection, or token exfiltration to attacker infrastructure.
8. Check for persistence mechanisms: malicious mail forwarding rules, delegated mailbox permissions, and unauthorized OAuth app consents.

Resolution path

• Identify and isolate vulnerable or end-of-life routers from the network perimeter
• Patch router firmware to the latest vendor-supported version, or replace unsupported hardware
• Reset router admin credentials and disable remote/WAN-side management interfaces
• Revoke all Microsoft 365 refresh and session tokens for users behind affected networks via Revoke-MgUserSignInSession
• Force password resets and MFA re-enrollment for impacted accounts
• Implement Conditional Access policies requiring compliant/managed devices and token protection
• Hunt for persistence — mail forwarding rules, inbox rules, OAuth app consents, delegated permissions — and remove malicious artifacts
• Engage IR / forensic team and preserve router and M365 audit logs for investigation

Prevention

• Maintain a regular firmware patching cadence for all network edge devices
• Replace end-of-life routers and disable WAN-side management interfaces
• Enforce phishing-resistant MFA (FIDO2/passkeys) for Microsoft 365 access
• Enable Microsoft Entra token protection and Continuous Access Evaluation (CAE)
• Apply Conditional Access policies restricting access to compliant devices and trusted locations
• Segment management traffic and monitor edge devices with EDR/NDR telemetry
• Subscribe to vendor and CISA advisories for router-related CVEs and act promptly on KEV additions

Tools

• Microsoft Entra ID sign-in and audit logs
• Microsoft 365 Defender / Unified Audit Log
• PowerShell Microsoft.Graph module (Revoke-MgUserSignInSession)
• CISA Known Exploited Vulnerabilities (KEV) catalog
• Router vendor firmware update utilities (Cisco, MikroTik, ASUS, etc.)
• Network traffic analyzers (Wireshark, Zeek)
• Shodan / Censys for external exposure assessment

References

• Russia Hacked Routers to Steal Microsoft Office Tokens - KrebsOnSecurity
• CISA Known Exploited Vulnerabilities Catalog
• Microsoft - Revoke user access in Entra ID