TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Microsoft Threat Intelligence

SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks

Microsoft Threat Intelligence · 2026-04-07 · Read original ↗

ATT&CK techniques detected

21 predictions
T1557.001Name Resolution Poisoning and SMB Relay
89%
"query forwarding and ip address assignment on a local network. adversary - in - the - middle attacks microsoft threat intelligence has observed aitm attacks related to the initial access campaign. although they target different endpoints, both are transport layer security ( tls )…"
T1557.001Name Resolution Poisoning and SMB Relay
89%
"hijacking, the actor is likely using it selectively against targets of intelligence priority post - compromise : aitm attack against microsoft 365 domains : microsoft observed forest blizzard conducting follow - on aitm operations against a subset of domains associated with micro…"
T1078.004Cloud Accounts
86%
"##mate response to risky sign - ins. a sign - in risk represents the probability that a given authentication request isn ’ t authorized by the identity owner. a sign - in risk - based policy can be implemented by adding a sign - in risk condition to conditional access policies th…"
T1557Adversary-in-the-Middle
78%
"query forwarding and ip address assignment on a local network. adversary - in - the - middle attacks microsoft threat intelligence has observed aitm attacks related to the initial access campaign. although they target different endpoints, both are transport layer security ( tls )…"
T1557.001Name Resolution Poisoning and SMB Relay
75%
"persistent, passive visibility and reconnaissance at scale. by compromising edge devices that are upstream of larger targets, threat actors can take advantage of less closely monitored or managed assets to pivot into enterprise environments. microsoft threat intelligence has iden…"
T1557.001Name Resolution Poisoning and SMB Relay
73%
"report. microsoft tracks the specific component of forest blizzard associated with this activity as storm - 2754. forest blizzard actor activity detected storm - 2754 activity entra id protection the following microsoft entra id protection risk detection informs entra id user ris…"
T1556.006Multi-Factor Authentication
70%
"seamless authentication process, as well as configure microsoft entra ’ s machine learning models to operate on all identity data, thus learning the difference between legitimate access and malicious access quicker and easier. it is recommended to synchronize all user accounts ex…"
T1557.001Name Resolution Poisoning and SMB Relay
68%
", which might include active traffic interception. targeting soho devices is not a new tactic, technique, or procedure ( ttp ) for russian military intelligence actors, but this is the first time microsoft has observed forest blizzard using dns hijacking at scale to support aitm …"
T1557.001Name Resolution Poisoning and SMB Relay
68%
"twitter ), and bluesky. to hear stories and insights from the microsoft threat intelligence community about the ever - evolving threat landscape, listen to the microsoft threat intelligence podcast. the post soho router compromise leads to dns hijacking and adversary - in - the -…"
T1557Adversary-in-the-Middle
65%
", which might include active traffic interception. targeting soho devices is not a new tactic, technique, or procedure ( ttp ) for russian military intelligence actors, but this is the first time microsoft has observed forest blizzard using dns hijacking at scale to support aitm …"
T1557Adversary-in-the-Middle
64%
"persistent, passive visibility and reconnaissance at scale. by compromising edge devices that are upstream of larger targets, threat actors can take advantage of less closely monitored or managed assets to pivot into enterprise environments. microsoft threat intelligence has iden…"
T1584.002DNS Server
62%
"campaign, from initial access on vulnerable soho routers to actor - controlled dns resolution and aitm activity. edge router compromise forest blizzard gained access to soho devices then altered their default network configurations to use actor - controlled dns resolvers. this ma…"
T1078.004Cloud Accounts
61%
"activity. post - compromise activity forest blizzard ’ s post - compromise aitm activity could enable the actor to operate in the environment as a valid user. establishing a baseline of normal user activity is important to be able to identify and investigate potentially anomalous…"
T1557.001Name Resolution Poisoning and SMB Relay
53%
"campaign, from initial access on vulnerable soho routers to actor - controlled dns resolution and aitm activity. edge router compromise forest blizzard gained access to soho devices then altered their default network configurations to use actor - controlled dns resolvers. this ma…"
T1528Steal Application Access Token
51%
"activity. post - compromise activity forest blizzard ’ s post - compromise aitm activity could enable the actor to operate in the environment as a valid user. establishing a baseline of normal user activity is important to be able to identify and investigate potentially anomalous…"
T1557.001Name Resolution Poisoning and SMB Relay
47%
"soho router compromise leads to dns hijacking and adversary - in - the - middle attacks executive summary forest blizzard, a threat actor linked to the russian military, has been compromising insecure home and small - office internet equipment like routers, then modifying their s…"
T1071.004DNS
44%
"campaign, from initial access on vulnerable soho routers to actor - controlled dns resolution and aitm activity. edge router compromise forest blizzard gained access to soho devices then altered their default network configurations to use actor - controlled dns resolvers. this ma…"
T1557.001Name Resolution Poisoning and SMB Relay
43%
"hijacking and adversary - in - the - middle attacks microsoft security copilot microsoft security copilot is embedded in microsoft defender and provides security teams with ai - powered capabilities to summarize incidents, analyze files and scripts, summarize identities, use guid…"
T1584.002DNS Server
35%
"hijacking, the actor is likely using it selectively against targets of intelligence priority post - compromise : aitm attack against microsoft 365 domains : microsoft observed forest blizzard conducting follow - on aitm operations against a subset of domains associated with micro…"
T1078.004Cloud Accounts
32%
"could potentially carry out a range of activity against targets as a legitimate user. for microsoft 365 environments, the actiontype “ search ” or “ mailitemsaccessed ” in the cloudappevents table in the defender xdr portal can provide some information on user search activities, …"
T1584.002DNS Server
30%
"soho router compromise leads to dns hijacking and adversary - in - the - middle attacks executive summary forest blizzard, a threat actor linked to the russian military, has been compromising insecure home and small - office internet equipment like routers, then modifying their s…"

Summary

Executive summary Forest Blizzard, a threat actor linked to the Russian military, has been compromising insecure home and small-office internet equipment like routers, then modifying their settings in ways that turn them into part of the actor’s malicious infrastructure.

The post SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks appeared first on Microsoft Security Blog.