Outlook Router DNS Hijack Warning: Remote Worker Checklist

Last updated June 11, 2026. Source check: the UK’s National Cyber Security Centre alert published on April 7, 2026, related NCSC mitigation guidance, and Microsoft’s Microsoft 365 Apps update documentation were reviewed for this draft on the date above.

Many remote workers focus on account security at the laptop, browser, or identity-provider layer.

The NCSC’s latest APT28 alert is a reminder that the trust boundary can fail before the traffic ever reaches your work device.

On April 7, 2026, the NCSC said APT28 had been exploiting vulnerable small-office and home-office routers to overwrite DHCP/DNS settings and redirect traffic through attacker-controlled DNS servers. The agency says the resulting adversary-in-the-middle attacks can harvest passwords, OAuth tokens, and other credentials for web and email services.

Which Microsoft-related domains were named

The NCSC says the following domains were targeted for redirection to adversary-in-the-middle infrastructure:

• autodiscover-s.outlook.com
• imap-mail.outlook.com
• outlook.live.com
• outlook.office.com
• outlook.office365.com

That list does not prove every Outlook or Microsoft 365 user was targeted. It does show that a home-office email workflow can sit directly inside the actor’s interest area once the router layer is compromised.

Why a router problem becomes an account problem

The NCSC says downstream devices inherit the malicious DNS settings from the router.

That means:

• your work laptop can inherit the problem
• your personal phone can inherit the problem
• shared household devices can inherit the problem

So even if your employer manages the laptop well, the home network can still be the part that quietly reroutes traffic first.

The remote-worker checklist

1. Do not assume the laptop is the only trust boundary

If you work from home and use:

• Outlook
• Microsoft 365
• Exchange-backed mail
• a shared household router

then router health is part of your workspace security posture.

This does not mean your employer is responsible for your home router. It does mean the router belongs in the same risk conversation as the work device.

2. Check the home router before blaming Outlook

The NCSC says the actor changed DHCP/DNS settings on compromised routers.

So if you see strange mail behavior, the first useful question is not only “What changed in Outlook?” It is also:

• what router model is in use
• whether it is current or legacy hardware
• whether remote management is exposed
• whether DNS settings look unfamiliar

If the router is old, poorly documented, or obviously unsupported, that is not background detail. It is part of the risk story.

3. Treat MFA and 2-step verification as a high-priority baseline control

The NCSC explicitly recommends multi-factor authentication, 2-step verification, and 2-factor authentication to reduce the impact of stolen passwords.

That does not fix the router. It does reduce the chance that a stolen password alone turns into immediate account takeover.

If you control a small team, it is worth verifying that:

• MFA is enabled for every mailbox that matters
• privileged accounts have stronger protection than ordinary users
• people are not still exempted “temporarily”

4. Keep the productivity stack updated too

The NCSC’s mitigation section does not stop at the router. It also says to keep operating systems and productivity apps up to date, noting that Office 365 licensing can use Click-to-Run for seamless updates. Microsoft’s own Microsoft 365 Apps update documentation says the update process can automatically detect, download, and apply updates when devices are configured to use the Office CDN or another admin-defined update source.

That is useful because remote workers often split the problem into:

• network issue
• app issue
• account issue

In practice, the safe move is to reduce risk across all three layers.

5. Do not casually click through weird sign-in behavior

This next point is practical editorial judgment based on the NCSC’s adversary-in-the-middle description.

If Outlook-related sites or Microsoft sign-in flows suddenly behave oddly, repeat login prompts, or surface certificate trouble you did not expect, do not treat that as ordinary annoyance and click through automatically.

That is not proof of compromise. It is a good reason to slow down and verify the network path.

6. Tell people what to report

The NCSC says people should be treated as the first line of defence and that suspicious activity should be reported promptly.

For a solo remote worker, that means having a rule for yourself.

For a small team, that means saying out loud what counts as worth escalating:

• repeated unexpected sign-in prompts
• unexplained Outlook connection weirdness
• sudden router admin changes
• strange DNS or certificate behavior

Security controls help more when users know what to flag early.

What this alert does and does not mean

This alert does not mean:

• every Microsoft 365 account is already compromised
• a managed laptop makes the router irrelevant
• MFA alone solves the network problem

It does mean remote workers have reason to treat the home router as part of their work-identity risk surface, not only as a separate consumer gadget.

If your mailbox, cloud files, or sign-in tokens ride over that router every day, its support status and configuration are part of your workspace risk.

Sources and further reading

• NCSC: APT28 exploit routers to enable DNS hijacking operations
• NCSC: MFA for your corporate online services
• Microsoft Learn: Overview of the update process for Microsoft 365 Apps
• Related: Home Router Security Checklist, TP-Link Legacy Router Advisory: Keep or Replace?, and New Outlook Migration Checklist for Small Teams

Frequently asked questions

Does MFA solve the router hijack problem by itself?

No. MFA reduces the value of a stolen password, but it does not repair a compromised router or clean up altered DNS settings. You still need to check the network layer.

Is this only about Outlook.com consumer mail?

No. The NCSC's targeted list includes outlook.live.com, outlook.office.com, and outlook.office365.com, plus related Outlook service domains.

If my employer manages my laptop, can I ignore the home router?

No. The NCSC says downstream devices inherit the router's DNS settings. A managed laptop can still be routed through a bad network path if the home router is the weak point.

Last updated June 11, 2026. This article summarizes the NCSC alert above and adds clearly labeled editorial judgment where practical user behavior is inferred from that alert. It is not incident-response, legal, compliance, or tenant-specific security advice. Re-check the live NCSC alert, your organization’s Microsoft 365 policies, and Microsoft’s current update guidance before acting because advisories and operational details can change. If your organization suspects active compromise, use its security team and provider recovery procedures rather than a content guide as a response plan. See our editorial policy for methodology and corrections.