Forest Blizzard Proved That Changing One DNS Setting on a Home Router Is Enough to Harvest Enterprise Credentials at Scale

This week’s signals show attackers exploiting outdated assumptions, from trusted home networks and isolated PLCs to default AI permissions and the belief that remediation can keep pace with discovery.

Apr 13, 2026

INTRODUCTION

The assumption expiring this week is that adversaries need to plant code on a target to compromise it. Forest Blizzard proved that infrastructure configuration changes can replace implants entirely. Iran’s operators proved that internet-exposed PLCs can be sabotaged without sophisticated tooling. AWS showed that even vendors building secure-by-default AI infrastructure are shipping overly permissive trust models that attackers will find before defenders audit them. Anthropic showed that AI can now find vulnerabilities that survived 27 years of human review. The real question is not whether these are separate stories. It is whether your organization can absorb what is coming when infrastructure, identity, AI platforms, and remediation pipelines are all under pressure at the same time. Each case succeeded because defenders were operating against assumptions the adversary has already moved past.

None of these required breaking through hardened perimeter defenses or exploiting novel software vulnerabilities.

If your detection model still depends on finding malicious binaries, malicious network signatures, or malicious code, what exactly will it detect when the adversary’s entire toolkit is a DNS record and a proxy?

If you enjoy reading our newsletter, share it!

Thanks for supporting The Monday Brief.

WEEKLY SIGNALS ANALYSIS

Malwareless espionage invalidates detection models built around artifacts. Forest Blizzard’s router campaign used only DNS reconfiguration and adversary-in-the-middle positioning. Review whether your detection stack can identify credential theft that produces no endpoint telemetry and no malicious payload.
Iran has crossed the line from reconnaissance to confirmed disruption on U.S. soil. CISA’s joint advisory confirms physical effects on energy and water PLCs. If your OT environment connects internet-exposed programmable logic controllers, treat this week as the deadline for segmentation enforcement, not the start of a planning cycle.
AI agent platforms are shipping trust models that assume benign tenants. Unit 42’s Bedrock AgentCore findings show that default IAM roles granted agents enough privilege to escalate to administrative access and exfiltrate data. Audit every managed AI service’s IAM baseline before production deployment.
Financial fraud campaigns now exploit enterprise productivity tools as the initial lure. Storm-2755 poisoned Office 365 search results and used adversary-in-the-middle phishing to hijack payroll. Payroll and HR system access deserves the same conditional access rigor applied to privileged admin accounts.
What not to over-index on: Project Glasswing as an immediate operational event. The capability is real and the long-term implications are significant, but most organizations do not need to treat Anthropic’s restricted program itself as this week’s primary threat. The more useful takeaway is to pressure-test your remediation pipeline now and build a cyber defense strategy on the assumption that compromise will happen, because AI-accelerated discovery will matter most when it starts producing more validated findings than your organization can absorb.

THIS WEEK’S SIGNALS

Signal 1: Forest Blizzard Turns Consumer Routers Into a Credential Harvesting Grid Without Deploying Malware

Why it matters: Russia’s GRU-linked Forest Blizzard (APT28) compromised at least 18,000 SOHO routers, modified their DNS settings, and used adversary-in-the-middle positioning to intercept Microsoft authentication tokens in transit. The FBI’s Operation Masquerade disrupted the campaign, but the real significance is not that the technique is new. It is that a familiar part of the adversary repertoire proved effective at large scale against modern enterprise identity flows without malware, implants, or endpoint visibility.

What is being misread: Most coverage frames this as a “router patching” problem. The deeper architectural failure is that enterprise authentication tokens traverse residential network infrastructure that organizations neither own nor monitor. The security model assumes that the transport layer between a remote employee’s device and Microsoft’s cloud is trustworthy, or at least inspectable. Forest Blizzard exploited the gap between those assumptions and reality. DNS integrity on the path between user and identity provider was never part of most enterprise threat models.

Think Red (Douglas McKee): I do not need to touch your laptop. I do not need to send you a phishing email. I need your home router’s admin password, which is probably still the factory default. One DNS change, and every authentication request from your household routes through my proxy. I collect OAuth tokens, session cookies, and NTLMv2 hashes without triggering a single alert on your managed endpoint. My minimum viable objective is a valid Microsoft 365 token that lets me read email and access SharePoint, and I achieve it by modifying infrastructure your employer has never inventoried. The real lesson is not that routers are insecure. It is that your enterprise perimeter now includes hardware your security team has never seen and will never patch.

Act Blue (Ismael Valenzuela): The uncomfortable reality is that your zero trust architecture probably stops at the corporate network boundary and assumes the transport layer is either encrypted or monitored. Forest Blizzard proved that neither assumption holds when an adversary controls DNS resolution on the path between user and identity provider. Immediately enable Device Bound Session Credentials (DBSC) in Chrome 146 for all managed browsers, which binds session cookies to the originating device’s TPM and makes stolen tokens unusable on attacker infrastructure. Push conditional access policies in Entra ID to require compliant, managed devices and enforce token binding where supported. But do not stop there. Deploy DNS telemetry collection for remote workforce segments. If your VPN split-tunnels authentication traffic, that traffic is traversing infrastructure you do not control. Consider always-on VPN or SASE architectures that force DNS resolution through monitored resolvers for any device accessing corporate resources. Complement your network visibility with endpoint DNS visibility via your EDR or Sysmon. The broader principle: if you cannot verify the integrity of the path between user and identity provider, you cannot trust the credential that path delivers.

Supporting sources:

Signal 2: Iran’s IRGC-Affiliated Actors Cross From Espionage to Confirmed Disruption of U.S. Energy and Water PLCs

Why it matters: A joint CISA advisory confirmed that Iranian-affiliated cyber actors exploited programmable logic controllers across U.S. critical infrastructure in energy and water sectors, causing disruptive effects in the last month. Censys researchers identified 3,900 devices still exposed to the campaign. This is not reconnaissance or prepositioning. It is confirmed sabotage on U.S. soil.

What is being misread: The narrative frames this as an escalation driven by geopolitical tensions between the U.S. and Iran. That framing obscures the operational reality: these PLCs were directly internet-accessible, often with weak or default authentication and exposed services, and protected by little more than assumed network isolation. The attackers did not need sophisticated capabilities; they needed Shodan and patience. The architectural failure is that operators deployed industrial control devices on routable networks while implicitly trusting an isolation boundary that never really existed.

Think Red (Douglas McKee): I do not need a zero-day, and I do not need AI. I need an internet-connected PLC running default credentials, and Censys just told the world roughly 3,900 of them are still exposed. My cost of entry is a scanner and a script. My objective is not to steal data. It is to create effect: change a setpoint, open a valve, or trip a breaker. That gets headlines, creates fear, and gives my government leverage at the negotiating table. And let’s face it, these are not new problems. These are the same struggles we have had for decades: exposed systems, weak authentication, slow remediation, and defenders losing to inertia. While we keep insisting on talking about the effects of AI, attackers do not need it. The fact that these devices are still exposed weeks after a federal advisory tells me everything I need to know about the defender’s response tempo.

Act Blue (Ismael Valenzuela): The core problem is not that these PLCs have vulnerabilities. It is that they are internet-routable at all. Every OT environment that exposes control system devices to the public internet has already failed the most basic segmentation test. This week, validate every PLC, SCADA interface, and HMI against your external attack surface. Use services like Censys or Shodan to confirm what your own asset inventory claims versus what the internet can actually reach. Immediately isolate any device found exposed and enforce network segmentation using jump servers with multifactor authentication for remote OT access. But do not stop there. Default credentials remain the primary access vector in this campaign. Conduct a credential audit of every PLC and RTU in your environment, replacing factory defaults with unique, complex credentials managed through a privileged access management solution. Historical precedent from the Unitronics compromises in 2023 showed that advisories alone do not drive remediation. Track your exposed device count weekly and assign an owner for each exposed asset. The principle holds: if a control system device is reachable from the internet, it is already inside someone’s target list.

Supporting sources:

Signal 3: Amazon Bedrock AgentCore Shipped Default Permissions That Enable Full Privilege Escalation and Data Exfiltration

Why it matters: Unit 42 researchers disclosed multiple critical vulnerabilities in Amazon Bedrock AgentCore, AWS’s managed infrastructure for hosting AI agents. Default IAM roles granted agents permissions broad enough to escalate to administrative access, exfiltrate data via DNS tunneling, and escape sandbox network isolation. While the initial discovery surfaced in March, Unit 42 added more detail this week around the full implications of “Agent God Mode.” AWS patched the issues, but the design philosophy that created them, granting agents maximum privilege by default, is not unique to AWS.

What is being misread: The industry is treating these as standard cloud vulnerabilities to be patched and forgotten. The deeper issue is architectural. AI agent platforms are being designed with implicit trust in the agent’s behavior, granting broad IAM permissions because restricting them would break functionality or slow adoption. The attack surface is not a specific CVE. It is an entire class of overprivileged AI infrastructure rushing to production.

Think Red (Douglas McKee): The default IAM role gives me everything I need, enough permission to enumerate the account, escalate privileges, and exfiltrate data over DNS in a way that walks right around the sandbox’s network isolation. My entry point could be prompt injection, a poisoned tool integration, or a compromised agent configuration, but that almost stops mattering once I land in a trusted layer. And for an attacker, trusted is optimal. We have seen this movie before. It is not that different from the early days of S3 buckets, when world-readable buckets were not some clever exploit so much as the platform doing exactly what it was configured to do, just in the worst possible way. That is what makes this dangerous. It is not a vulnerability in the traditional sense. It is trust, permissions, and design working for the wrong person.

Act Blue (Ismael Valenzuela): AI agent infrastructure is moving to production faster than security teams are reviewing its trust model. The default permissions in Bedrock AgentCore were not a misconfiguration. They were the intended design, which means your standard configuration review process would not have flagged them. Immediately audit every IAM role attached to AI agent execution environments across AWS, Azure, and GCP. Apply least-privilege scoping: agents should have access only to the specific data stores and APIs they require, not broad resource enumeration permissions. But do not stop there. The DNS tunneling escape from sandbox isolation means network controls alone cannot contain a compromised agent. Deploy DNS query logging and anomaly detection for all AI workload subnets, watching specifically for high-entropy subdomain queries that signal tunneling. Treat AI agent deployments with the same rigor as any privileged service account: time-bounded credentials, just-in-time access, and continuous monitoring of API calls against a behavioral baseline. The principle is straightforward: if your AI agent has more permissions than your most restricted human administrator, your threat model is inverted.

Supporting sources:

Unit 42: https://unit42.paloaltonetworks.com/exploit-of-aws-agentcore-iam-god-mode/
Unit 42: https://unit42.paloaltonetworks.com/bypass-of-aws-sandbox-network-isolation-mode/
BeyondTrust / Phantom Labs: https://www.beyondtrust.com/blog/entry/pwning-aws-agentcore-code-interpreter
Infosecurity Magazine: https://www.infosecurity-magazine.com/news/security-flaw-aws-bedrock/
The Hacker News: https://thehackernews.com/2026/03/ai-flaws-in-amazon-bedrock-langsmith.html

Signal 4: Storm-2755 Poisons Office 365 Search Results to Hijack Employee Paychecks

Why it matters: Microsoft’s DART team identified Storm-2755, a financially motivated threat actor that compromises Canadian employee accounts through SEO poisoning and adversary-in-the-middle phishing, then modifies direct deposit information to redirect salary payments to attacker-controlled accounts. The campaign exploits the trust employees place in Office 365 search results and self-service HR portals.

What is being misread: This is being categorized as a phishing problem. It is actually a business process integrity problem. The attack succeeds not because the initial credential theft is novel, but because payroll systems allow direct deposit changes without out-of-band verification. Organizations designed self-service HR portals for employee convenience, assuming that an authenticated session equals a legitimate employee. Storm-2755 exploits that assumption. The broken model is that payroll modification inherits the same trust level as reading an email.

Think Red (Douglas McKee): I can poison a search result for something routine like “update direct deposit,” and that is really all I need, because phishing is still one of the most tried-and-true methods attackers have ever had. The employee clicks, lands on my phishing page, and my AiTM proxy captures the credentials and session token. Now I am inside with a valid session, not fighting the environment but operating exactly the way the business process expects me to. From there I go to the payroll portal, change the routing number, and wait for payday. My cost of entry is a domain, a phishing kit, and some basic SEO manipulation. I do not need lateral movement, persistence, or privilege escalation. My payout is the employee’s next paycheck, and most organizations will not catch it until the employee reports missing funds days later. I am abusing a business process that treats a session cookie as proof of identity and assumes the person behind it belongs there.

Act Blue (Ismael Valenzuela): Self-service HR portals were designed for convenience, and that convenience is now the attack surface. The fact that a single authenticated session can modify banking details without additional verification is a design flaw, not a configuration gap. Immediately require out-of-band verification for any payroll modification: a phone call to a verified number, a push notification to a registered device, or an approval workflow that routes through a payroll administrator. Enforce conditional access policies that require managed devices and compliant posture for access to HR and financial systems, not just for admin portals. As I often explain in my SANS SEC530 class (https://www.sans.org/cyber-security-courses/defensible-security-architecture-and-engineering), FIDO2, and by extension, Passkeys, breaks Adversary-in-the-Middle (AiTM) attacks because it uses cryptographic origin binding, meaning the authentication credential is mathematically tied to the specific, legitimate domain of the service. But do not stop with prevention. Monitor for behavioral anomalies on payroll platforms specifically: rapid navigation from login to direct deposit modification, access from atypical geolocations, or session tokens that originate from known AiTM infrastructure. Deploy canary entries in your payroll system, fictitious employee records that should never be modified, and alert immediately on any change. The broader lesson: any business process that moves money deserves step-up authentication proportional to the financial impact, regardless of whether the user has a valid session.

Supporting sources:

Microsoft Security Blog: https://www.microsoft.com/en-us/security/blog/2026/04/09/investigating-storm-2755-payroll-pirate-attacks-targeting-canadian-employees/
Help Net Security: https://www.helpnetsecurity.com/2026/04/10/poisoned-office-365-search-results-lead-to-stolen-paychecks/
BleepingComputer: https://www.bleepingcomputer.com/news/microsoft/microsoft-canadian-employees-targeted-in-payroll-pirate-attacks/amp/

Signal 5: Anthropic’s Project Glasswing Proves AI Can Find Decades-Old Vulnerabilities Faster Than the Industry Can Fix Them

Why it matters: Anthropic launched Project Glasswing, a restricted security initiative built on Claude Mythos Preview, a frontier model withheld from public release because of its cybersecurity capabilities. The model identified thousands of high-severity zero-day vulnerabilities across every major operating system and browser, including a 27-year-old OpenBSD flaw and a 16-year-old FFmpeg vulnerability that survived five million automated test runs. Access is limited to 50+ organizations including AWS, Apple, Microsoft, Google, and CrowdStrike, with $100 million in usage credits committed. The capability will not stay restricted forever.

What is being misread: Coverage is over-indexing on the discovery breakthrough itself, as if faster vulnerability discovery automatically makes defenders safer. That misses the more important operational signal. For most organizations, the real bottleneck is not finding more flaws. It is everything that happens after discovery, including understanding which findings actually matter, tying them to exposed assets and reachable attack paths, assigning ownership, executing remediation, handling exceptions, and proving that risk was materially reduced. Project Glasswing matters less because it found impressive bugs and more because it highlights how quickly weak vulnerability reporting and patch mangement workflows could become overwhelmed if AI starts producing validated findings at a much higher rate. The story is not that AI found bugs. The story is that many security programs are not built to absorb what comes next.

Think Red (Douglas McKee): As an attacker, the vulnerability discovery capability is not what excites me. What excites me is the asymmetry it creates. When defenders receive ten times the findings or ten times the patch volume at ten times the speed, they do what they always do. They triage by CVSS, stack the work in a queue, and argue about patch windows. Meanwhile, I only need the one vulnerability you missed or delayed patching. Project Glasswing just proved that the remediation pipeline will break under load before the discovery engine runs out of bugs. My advantage is not that I find things first. My advantage is that your organization cannot remediate at the speed discovery now demands.

Act Blue (Ismael Valenzuela): The organizations that will benefit from AI-accelerated discovery are not the ones with the biggest vulnerability scanners. They are the ones whose remediation pipelines can absorb the volume. Before Glasswing-class capabilities become broadly available, audit your vulnerability management workflow end-to-end: from finding intake through asset ownership, exploitability analysis, patching, exception handling, and validation that the fix actually reduced reachable exposure. Identify where the queue stalls today, because that stall point will become a failure point at higher throughput. But do not stop there. Shift from queue-depth prioritization to exposure-led models that connect findings to internet-facing assets, identity paths, and existing detection coverage. Pre-authorize automated patching for critical findings on internet-exposed assets, because the time between AI-assisted discovery and adversarial exploitation of the same class of bug will compress to days, hours or even minutes, not quarters. The principle: if you cannot prove that a remediation action reduced reachable risk, you have not patched anything. You have just moved an item from one list to another.

Supporting sources:

Anthropic: https://www.anthropic.com/glasswing
Rapid7: https://www.rapid7.com/blog/post/ai-what-project-glasswing-means-for-security-leaders/
The Hacker News: https://thehackernews.com/2026/04/anthropics-claude-mythos-finds.html

MEME OF THE WEEK

This week in cyber, the scary AI story was not the one stealing your credentials

ROLE-BASED TAKEAWAYS

Executive / CISO / Board Level

Forest Blizzard’s router campaign demonstrates that your enterprise credential security now depends on the home network hygiene of every remote employee. Brief the board that adversary-in-the-middle attacks on residential infrastructure can bypass non-phishing resistant MFA and even conditional access if not implemented correctly. Quantify the percentage of your workforce accessing corporate resources from unmanaged networks, and present a timeline for deploying device-bound session credentials or always-on VPN.
Iran’s confirmed disruption of U.S. energy means OT exposure is now an active liability, not a theoretical risk. If your organization operates industrial controls, request an external attack surface scan this week. Confirmed physical effects from IRGC-affiliated actors change the conversation from “we should plan to segment” to “we are in breach of reasonable care if we do not.”
The legal and reputational exposure from redirected paychecks is the real business risk, not just the dollars lost. Based on Storm-2755’s recent payroll hijacking campaign direct your CHRO and CISO to jointly audit what financial changes an authenticated employee session can make without additional verification.
Project Glasswing signals that AI-accelerated vulnerability discovery will overwhelm current remediation capacity. Ask your vulnerability management team a simple question- if patching volume doubled tomorrow, what breaks first? Fund the answer before the capability spreads beyond Anthropic’s restricted access program.

Enterprise Architect

Design Principle Impact: Transport integrity can not be assumed for remote authentication flows. Forest Blizzard’s DNS hijacking means that token security depends on path integrity between device and identity provider. Architect solutions that bind session credentials to device hardware (DBSC, certificate-based auth) rather than relying on bearer tokens that remain valid regardless of where they were intercepted.
New Constraint: AI agent platforms require IAM scoping before production, not after. The Bedrock AgentCore findings establish that managed AI services may ship with permissions that exceed what any human role would receive. Add mandatory IAM review gates for all AI agent deployments, treating agent execution roles as privileged service accounts subject to least-privilege enforcement and continuous access certification.
New Constraint: Remediation pipelines must be designed for throughput, not queue depth. Project Glasswing demonstrates that vulnerability discovery will accelerate faster than human-gated fix cycles. Architect remediation workflows around exposure-led prioritization, automated patching for internet-facing assets, and closed-loop validation that confirms fixes reduced reachable risk.

Security Operations

Implementation Watch Item: Monitor DNS configuration changes on all SOHO routers in your asset inventory. If you do not have visibility into remote employee home network equipment, deploy network detection rules for Microsoft authentication flows that originate from unexpected DNS resolvers or exhibit certificate mismatches.
Common Failure Mode: Organizations deploy conditional access policies that enforce device compliance but do not validate DNS resolution integrity. An attacker who controls DNS can present legitimate-looking certificate chains to managed devices that still satisfy compliance checks.
Monitoring Patterns: Build detections around business process abuse, not just login anomalies. A valid employee session that changes routing information, suppresses notifications, and exits without other normal portal activity should be treated as a likely account takeover with financial intent.
Signal vs Noise Guidance: A single DNS change on one router is noise. Multiple routers in your remote workforce resolving Microsoft authentication endpoints to non-Microsoft IPs within the same week is a signal. For OT environments, any external scan that reveals a PLC responding on a public IP is an immediate, zero-false-positive finding.
Take the adversary by surprise: Seed your external attack surface with decoy OT services and non-production PLC interfaces that appear real enough to attract scanning and login attempts. Adversaries hunting for exposed control systems expect passive targets, not instrumented traps that give you early warning the moment they start enumerating your environment.

See you next Monday!

The Monday Brief is produced by Douglas McKee and Ismael Valenzuela. The opinions expressed are our own and do not reflect those of our employers.

The Monday Brief

Discussion about this post

Ready for more?