Identity-focused cyber attacks rise

# Identity-focused cyber attacks rise A home router used to be treated like a boring utility box: set it up once, forget it, and assume the real security fight starts on the laptop. The latest wave of attacks shows that assumption is wrong. In April 2026, government agencies and security researchers described campaigns in which attackers hijacked consumer MikroTik and TP-Link routers, quietly redirected internet traffic, and used that position to steal Microsoft 365 credentials and authentication tokens from downstream devices. At the same time, Microsoft warned that a separate device-code phishing campaign is compromising organizations at scale every day, and the Federal Bureau of Investigation said Americans lost nearly $21 billion to cyber-enabled crime in 2025. The common thread is identity: attackers are increasingly going after the logins, tokens, and trust flows that let them slip into corporate systems without needing to break in the old-fashioned way. (bleepingcomputer.com) The router attacks are a reminder of how much trust sits in a cheap plastic box on a shelf. A router decides where a home or small-office device sends its traffic, much like a mail sorter decides which address gets each envelope. If an attacker takes control of that sorter, they do not need to compromise every laptop one by one. They can manipulate the path that many devices follow, including work laptops that employees use from home. That is why security agencies now describe consumer networking gear as a direct path into enterprise environments rather than a separate, low-priority problem. (ncsc.gov.uk) The specific trick in the router campaign was Domain Name System hijacking. The Domain Name System is the internet’s phone book: it turns a name like a company login page into the numeric address a device actually visits. According to the United Kingdom’s National Cyber Security Centre, Russian state-linked attackers exploited vulnerable routers and changed their Dynamic Host Configuration Protocol and Domain Name System settings so that victim devices would use attacker-controlled name servers instead of legitimate ones. Once that happened, requests from laptops and phones could be quietly steered toward infrastructure chosen by the attackers. (ncsc.gov.uk) That kind of redirection is powerful because it happens below the level most users ever see. A worker can open a browser, type a familiar address, and believe they are taking the normal route to a Microsoft sign-in page. But if the router has already been altered, the traffic can be sent through systems controlled by the attacker first. Researchers and government agencies said that let the operators perform adversary-in-the-middle attacks, intercepting connections and harvesting passwords, OAuth tokens, and other credentials tied to webmail and cloud services. In plain terms, the attacker stands in the hallway between the employee and the office, copying the badge as it passes through. (infosecurity-magazine.com) The campaign tied to these router hijacks has been linked to APT28, the group also known as Fancy Bear or Forest Blizzard, which Western governments associate with Russia’s military intelligence service. The National Cyber Security Centre said the group had been actively modifying virtual private servers since 2024 to operate as malicious Domain Name System servers, while Microsoft said one cluster of activity had been compromising small office and home office routers since at least August 2025. The operation was broad rather than surgical at first: officials described it as opportunistic, with the attackers casting a wide net across vulnerable devices and then narrowing down to people and organizations of intelligence value. (ncsc.gov.uk) The scale is large enough to matter well beyond espionage specialists. TechCrunch, citing Microsoft and Lumen’s Black Lotus Labs, reported that at least 18,000 victims in roughly 120 countries were affected, and that Microsoft identified more than 200 organizations and 5,000 consumer devices touched by the malicious Domain Name System infrastructure. Those numbers help explain why home networking gear has become such an attractive target. A single weak router can expose not just one person but every phone, laptop, tablet, and work session behind it. (techcrunch.com) The devices involved were not especially exotic. Advisories pointed to vulnerable and often outdated small-office and home-office routers, including MikroTik hardware and several TP-Link models. One model called out by the National Cyber Security Centre was the TP-Link WR841N, which officials said was likely exploited using CVE-2023-50224, a flaw that can let an unauthenticated attacker obtain sensitive information through crafted web requests. Many of the targeted devices are old enough that they no longer receive software patches, which turns them into long-lived stepping stones for anyone willing to scan the internet for neglected equipment. (infosecurity-magazine.com) Law enforcement and private-sector partners say they have disrupted part of this activity. BleepingComputer reported on April 7 that an international operation targeted FrostArmada, an APT28 campaign that hijacked local traffic from MikroTik and TP-Link routers to steal Microsoft account credentials. “Disrupted” does not mean the underlying weakness is gone. It means some malicious infrastructure has been taken down and some operations have been interrupted. The installed base of aging routers in homes and small businesses is still there, and the basic technique of tampering with traffic paths remains effective wherever those devices stay exposed and unpatched. (bleepingcomputer.com) At the same time, attackers are finding a second route around traditional password defenses by abusing modern sign-in flows. On April 6, Microsoft said it had observed a widespread phishing campaign using Device Code Authentication to compromise organizational accounts at scale. Device code sign-in is a legitimate feature meant to help devices with limited keyboards or browsers, such as smart televisions or conference-room equipment, sign in by showing a short code that the user enters on another device. The weakness is not the code itself; it is that users can be tricked into entering a valid code for the attacker’s session, which hands over an authentication token without the attacker ever needing the victim’s password directly. (microsoft.com) Microsoft said this campaign pushed the technique much further than earlier device-code phishing. Instead of relying on static lures and human timing, the operators used automation and dynamic code generation so the code appeared only when the victim clicked, bypassing the normal 15-minute expiration problem. Microsoft also said the attackers used generative artificial intelligence to tailor phishing emails to the victim’s role, then used stolen tokens for email theft, inbox-rule persistence, and Microsoft Graph reconnaissance to map the organization after the initial compromise. The Register summarized the result in blunt terms on April 7: hundreds of organizations are being compromised daily. (microsoft.com) Put the router hijacks and the device-code phishing together, and a pattern emerges. In both cases, the attacker is not smashing through a firewall or dropping obvious malware first. The attacker is abusing trust. In one path, they tamper with the network route so the victim hands over credentials while trying to do normal work. In the other, they abuse a legitimate authentication flow so the victim authorizes the attacker’s session themselves. Different entry points, same prize: a token or credential that says “this user belongs here.” (infosecurity-magazine.com) The Federal Bureau of Investigation’s new numbers show how expensive this shift has become. The bureau said on April 6 that the Internet Crime Complaint Center received 1,008,597 complaints in 2025, up from 859,532 in 2024, and that cyber-enabled crimes defrauded Americans of nearly $21 billion. Phishing and spoofing were among the most frequently reported complaint types, while compromised corporate email remained one of the costly tactics. The bureau also said it now receives nearly 3,000 complaints per day. Those figures are not limited to identity attacks, but they describe an environment in which stealing trust at scale has become one of the internet’s most