A large-scale cyberattack has been uncovered. The attack was enabled by DNS misconfigurations across global networks. Over 13,000 MikroTik routers were hijacked. These routers were used in a botnet-powered email spoofing campaign.
Exploited DNS Misconfiguration
The root of the attack was found in misconfigured SPF (Sender Policy Framework) records. The “+all” directive was used in many domains. This setting had allowed any server to send emails on behalf of the domain.
Due to this misconfiguration, email spoofing was made possible. Malicious emails were sent using trusted sender addresses. These spoofed emails were not detected by spam filters.
The botnet had targeted MikroTik routers globally. Once compromised, routers were reconfigured. They were turned into SOCKS proxies. These proxies were then used to disguise the origin of spoofed messages.
The attackers had abused public-facing router interfaces. Exploited devices had not been patched. Outdated firmware had made these routers vulnerable.
Delivery of Malicious Payloads
Emails contained attachments or links. Once opened, PowerShell commands were executed in the background. Malware was silently downloaded. Systems were infected without user awareness.
Data was exfiltrated from compromised machines. In some cases, remote access tools were installed. Long-term persistence was achieved by the attackers.
Several well-known company domains were impersonated. Victims believed the emails were legitimate. Trust was abused to increase open rates. Click-through rates were also boosted by fake branding.
This method helped the attackers bypass email security systems. Victims included both businesses and individuals.
Security Recommendations Issued
Experts have warned organizations about poor DNS hygiene. SPF, DKIM, and DMARC records should be properly configured. The “+all” directive must never be used. DNS entries should be validated regularly.
MikroTik routers must be updated with the latest firmware. Access should be limited. Default credentials must be changed. External interfaces should be secured.
Ongoing monitoring has been advised. DNS logs should be reviewed for signs of abuse.
This attack has exposed the critical role of DNS security. Botnets are increasingly exploiting overlooked network configurations. Email spoofing remains a top cyber threat in 2025.
The campaign has shown how a simple DNS misconfiguration can be weaponized at scale. Multiple countries have been affected. The damage from data theft and phishing continues to spread.
Leave A Comment