Microsoft 365 and Entra ID are implicated in a GRU-affiliated Forest Blizzard (APT28) adversary-in-the-middle campaign that compromised over 18,000 SOHO and home routers to intercept OAuth authentication traffic and steal session tokens, affecting more than 200 organizations across government, energy, and IT sectors. No CVE is assigned; the attack exploited router misconfigurations and the absence of phishing-resistant MFA rather than a software defect in Microsoft products. Immediate actions include auditing Entra ID sign-in logs for anomalous OAuth token grants, revoking refresh tokens for potentially affected accounts, and accelerating deployment of FIDO2/hardware-key MFA with Entra ID Conditional Access and Continuous Access Evaluation enforcement.