SOHO Routers under Attack: How DNS Hijacking Paves the Way for Silent Espionage
A recent investigation by Microsoft reveals a sophisticated campaign where the state-sponsored actor Forest Blizzard (STRONTIUM) compromises home and small office routers to perform DNS hijacking and facilitate adversary-in-the-middle (AITM) attacks. The result is persistent visibility into network traffic without directly compromising corporate systems.
Since mid-2025, the group has been exploiting improperly configured or unpatched routers to take control of their network settings. Once inside, attackers modify the DNS servers configured on the router, redirecting traffic towards infrastructure controlled by the attacker and maintaining a passive presence that is difficult to detect. Unlike traditional attacks, malware is not always visible at the endpoint. The compromise occurs earlier, in the network layer.
DNS hijacking allows for domain redirection of legitimate domains like Outlook Web, intercepting TLS sessions through AITM techniques and capturing session credentials or tokens. This turns the router into an invisible proxy between the user and the service. It is important to understand that not all encryption is broken: often, attackers trick users or abuse authentication flows to capture valid sessions.
According to Microsoft, the campaign has affected over 200 organizations and around 5,000 compromised SOHO devices, used in intelligence operations with geopolitical motivations. These routers function as a distributed network that allows the attacker to hide their infrastructure, operate from apparently legitimate locations, and scale into corporate environments without raising suspicion.
This attack marks an important shift in threat models. Security no longer begins solely within the company; it also extends to employees' homes. These are invisible attacks, with no obvious malware or traditional alerts, that exploit low-cost, high-availability devices like home routers. Additionally, a compromised router can remain undetected for long periods.
Although the affected device is outside the corporate environment, the impact is direct. It can facilitate access to business credentials, session hijacking of SaaS applications, exposure of sensitive traffic, and bypassing traditional security controls. This risk is particularly relevant in remote work scenarios, personal device usage, and cloud service access.
Microsoft recommends basic but critical measures: changing default credentials, updating router firmware, reviewing DNS configurations, and disabling unnecessary remote accesses. At an organizational level, it is crucial to monitor DNS anomalies, implement AITM attack detection, reinforce multifactor authentication, and segment access to critical resources. It is also essential to educate users about the risks associated with their home networks.
The conclusion is clear: security no longer breaks from within; it surrounds from outside. SOHO routers, traditionally overlooked, have become a strategic point in modern espionage campaigns. While organizations strengthen their internal systems, attackers are exploiting the weakest link: the user's home network.
Compromise of SOHO Routers Leads to DNS Hijacking and Adversary-in-the-Middle Attacks
Summary: Microsoft reports on a sophisticated campaign by the state-sponsored actor Forest Blizzard (STRONTIUM), which compromises SOHO routers to hijack DNS and conduct adversary-in-the-middle (AITM) incursions in half of the TLS traffic.
Key facts
- Compromise of SOHO routers by Forest Blizzard since August 2025
- DNS hijacking to intercept TLS traffic in Microsoft Outlook on the web
- Identification of over 200 organizations and 5,000 compromised devices
Why it matters
This discovery underscores the need to bolster security on home and small office devices, as they can be used by malicious actors to compromise larger systems. Organizations must be prepared to detect and mitigate these threats.