What happened

APT28 — a threat group attributed to Russian military intelligence (GRU) — compromised approximately 18,000 internet-facing routers globally. These routers were used as infrastructure to intercept and steal OAuth session tokens from users of major platforms. The FBI dismantled the network in April 2026.

What is a session token and why does it matter?

When you log into Microsoft 365 (or any online service), your browser receives a session token — a small piece of data that tells the website "this is the person who already authenticated." The website trusts the token for a period of time without requiring your password or MFA code again.

If an attacker steals your session token, they can present it to the website as if they are you. The website cannot tell the difference. Your password was never used. Your MFA was never triggered. The attacker is simply in.

This is why IT revokes sessions: When IT revokes your active sessions after suspicious activity, it invalidates all existing tokens — forcing a fresh login everywhere. This is one of the most effective immediate responses to suspected credential or token theft.

What you can do

  • Log out of accounts on devices you no longer use regularly — this invalidates their tokens
  • Do not use public or shared Wi-Fi for work account access without a VPN
  • If IT asks you to re-authenticate to your accounts, do so promptly — it is a protective measure
  • Report any sign-in alerts from unfamiliar locations immediately