What do you do when a device designed to keep a factory online becomes the messenger for a scam? That question now faces operators across Europe after cybersecurity researchers revealed unknown actors have been abusing Milesight routers to send phishing SMS messages — a low-tech delivery for a high-stakes con. The shift isn’t in the scam itself but in the route attackers use to reach victims: trusted industrial connectivity equipment repurposed as a smishing relay.
Milesight routers exploited to send phishing SMS
French threat-intelligence firm SEKOIA reports that since at least February 2022, adversaries have been targeting industrial cellular routers made by Milesight, leveraging the devices’ API to dispatch malicious SMS messages containing phishing URLs. The activity, documented in SEKOIA’s analysis and summarized by The Hacker News, has mainly affected recipients in Sweden and Italy, though the technique could be used anywhere organizations deploy these industrial routers.
Smishing — SMS-based phishing — is familiar to security teams, but using industrial routers as the sending platform is a significant escalation. Rather than spoofing telecom short codes or breaking carrier infrastructure, attackers are finding exposed routers with cellular capabilities, authenticating (often via weak or unchanged credentials), and invoking the built-in SMS-sending API to broadcast phishing links. Messages appear to come from legitimate phone numbers associated with field equipment, increasing the chance recipients will trust and click the links.
SEKOIA’s findings map a straightforward attack chain: discovery of exposed devices, authentication using default or weak credentials, invocation of the SMS API, and distribution of malicious URLs designed to harvest credentials or deliver malware. The campaign has run intermittently since early 2022, indicating persistence and some operational success for the attackers.
Why this matters
The implications go well beyond nuisance texts. SMS remains a common path to credential theft, account takeover, and fraud. Phishing URLs can mimic banks, courier services, or internal portals to capture passwords and one-time codes. When those messages appear to originate from infrastructure devices, recipients are less likely to be suspicious — especially in industrial environments where automated alerts and delivery notices are expected.
For organizations that depend on cellular routers to connect remote sites and IoT deployments, an exploited router can signal broader security gaps: poor device hygiene, insufficient asset visibility, or weak segmentation between operational technology (OT) and corporate networks. An attacker who can control an edge device may not only use it to send phishing SMS but also pivot deeper into networks or disrupt operations.
Practical mitigations
Security teams and device owners can take concrete steps to reduce risk:
– Patch and update firmware promptly when vendors release fixes.
– Change all default credentials and enforce strong authentication for management interfaces.
– Disable unused services — if the SMS API isn’t required, turn it off.
– Segment networks to isolate management interfaces and OT devices from general-purpose networks and corporate systems.
– Monitor outbound SMS traffic from enterprise SIMs for spikes or unusual patterns that could indicate abuse.
– Maintain an accurate inventory of connected devices with remote access and review exposure to the public internet.
These are practical, achievable controls. They require discipline and visibility, however — two areas where industrial environments often fall short.
Policy and procurement: raising the baseline
Beyond operational fixes, policymakers and procurement officers have levers to improve resilience. Industrial vendors whose devices support critical infrastructure should adopt secure-by-default settings, deliver timely firmware updates, and provide deployment-specific security guidance. Minimum security standards in procurement contracts — such as required secure defaults, vulnerability disclosure policies, and support lifecycles — can force better vendor behavior. Regulators in several jurisdictions are already moving toward baseline protections for connected devices; attacks that weaponize edge equipment for smishing campaigns strengthen the case for mandatory requirements.
Advice for users and admins
From an end-user standpoint — whether you’re an employee in Sweden who receives a suspicious delivery notice or a network administrator managing dozens of remote routers — basic hygiene still applies. Treat unexpected links with skepticism, verify unusual messages through separate channels, and press IT to keep strict inventories and harden devices at the network edge. Administrators should assume that convenience-focused features like SMS services might be unnecessary and should disable any functionality not explicitly required for operations.
The attacker’s perspective and wider lessons
Adversaries gravitate to tools that are cheap, effective, and low-effort. Compromising misconfigured routers to send smishing campaigns fits that profile: low operational cost, plausible message provenance, and potentially high returns if recipients hand over credentials or load exploit pages. That said, the attack doesn’t work everywhere — many deployments never enable SMS features, and organizations can mitigate risk by turning unused functions off. The bigger problem is systemic: connectivity and convenience often outpace security, and when endpoints lack robust defaults, those endpoints become weapons for criminals.
Conclusion: securing the edge against smishing via Milesight routers
As defenders patch firmware, rotate credentials, and tighten segmentation, the critical question remains whether vendors and operators will make edge devices resilient by default. Until that happens, cybercriminals will continue to treat essential infrastructure — including Milesight routers — as delivery channels for scams. The trajectory of the next wave of smishing campaigns will depend largely on whether security practices and procurement standards evolve fast enough to deny attackers this convenient and credible vector.




