Microsoft just released their annual Microsoft Digital Defense Report (MDDR), and as I do each year, I wanted to cherry-pick a few of the most interesting findings to help you be more aware of the broad worldwide threat landscape. The full report is well worth reading, and I encourage you to do so. But first, let’s survey what’s in it.
Microsoft’s top 10 Recommendations
For fun, I will list below the top 10 recommendations in the report’s executive summary. See how many are applicable to you, and then think about how many of them are things you are already doing. Their priorities are an interesting mix of practical do-it-now items and softer, longer-term efforts that we might call “influence operations” in another context. We’ll come back to a few of these later.
- Manage cyber risk at the boardroom level
- Prioritize protecting identities
- Invest in people, not just tools
- Defend your perimeter
- Know your weaknesses and pre-plan for breach
- Map and monitor cloud assets
- Build and train for resiliency
- Participate in intelligence sharing
- Prepare for regulatory changes
- Start AI and quantum risk planning now
Same Attackers…
It’s not at all surprising that we see the same set of nation-state attackers getting attention in Microsoft’s report.
China’s attacks are broad and at scale, mostly targeting IT, telecommunications providers, government agencies, military and defense, and NGOs across the United States, Asia, North Africa, and Latin America. Interestingly, Chinese state actors are increasingly partnering with public/non-government organizations to conduct vulnerability research, create custom malware, and provide covert networks.
Iranian state actors are mostly continuing to target their historic adversaries in the Middle East, Europe, and North America, and they seem to be collaborating more. Although they continue to carry out destructive attacks, Microsoft says they’re also getting better at stealing data (including persistent targeted exfiltration attacks against shipping and logistics providers). More worryingly, they are also stepping up the number of attacks that use cloud infrastructure (including Azure) for command and control, persistence, and exfiltration.
Russia is still in the game, of course, and although they are mostly targeting Ukrainian assets, there’s some evidence that they are also mounting physical attacks against cyber and other infrastructure targets in Western Europe and the US. (Note that Microsoft didn’t mention these physical attacks in the MDDR.)
And, rounding out the list, we have North Korea, which has had crazy success sneaking remote workers into unwitting companies. The pay for these jobs helps power their economy, but they have also been remarkably successful at stealing data and carrying out extortion and sabotage attacks.
…But Different Attacks
Attackers have the same two or three basic plays after they break in. They either want to steal data, destroy it, or use it as leverage in some way. However, we’ve seen some big changes in the tactics, techniques, and motivations.
One noteworthy change is that Microsoft reports that 52% of cyberattacks with known motives were driven by extortion or ransomware, while only 4% were for espionage. Obviously, we don’t know the reason behind many attacks, but the trend is pretty interesting.
Another change is that 39% of the identity-based attacks Microsoft saw were targeted at research and academic targets. Microsoft claims, and it’s plausible, that this is because academic and research targets are easier to attack and let attackers improve their skills before moving on to more difficult targets.
Identity-based attacks continue to make up a huge percentage of the attacks that Microsoft blocks; out of the 15.9 billion account creation requests in the first half of 2025, more than 90% were from bots. It’s absolutely bonkers that Microsoft is blocking nearly 2 million fake account signup requests per hour. To help compensate for this, attackers are focusing more often on service accounts and credentials, which often have both elevated privileges but also weak security controls.
Perhaps the most worrisome trend I saw is that Microsoft said that 40% of ransomware attacks now target hybrid components—up from less than 5% in 2023. They also report a stunning 87% increase in attacks that are intended to disrupt or destroy data in Azure customer tenants.
So what should you do?
I listed Microsoft’s top 10 recommendations above, but it won’t surprise you that most of those recommendations are sort of vague, eat-your-vegetables things that don’t prescribe specific actions. And there’s nothing you can individually do to protect against some of the biggest threats, like the fake-Azure-account issue I mentioned earlier; solving those is Microsoft’s problem.
Here are some things you can do, drawn from Microsoft’s recommendations:
- Improve your patch management. 18% of attacks target perimeter-facing web services, and a further 12% target Internet-facing services. Password sprays and other crude attacks often succeed here. Make sure you’re patching all your systems, especially those exposed to the Internet, in a timely manner.
- Microsoft reports that 97% of all identity-based attacks are either password spray or brute-force attacks. Phishing-resistant MFA eliminates these attacks completely. Apply and enforce it everywhere that you can.
- Inventory every cloud workload, exposed API, and identity that you have. Eliminate any that you don’t need or can’t secure. For those that survive this process, ensure that they have only the minimal permissions required.
These recommendations aren’t sexy (and you’re probably tired of being told to deploy phishing-resistant MFA), but they work. If you’re looking for other concrete steps you can take, start by reading this year’s MDDR to look at the specifics of the threats that Microsoft saw this year, and the ones they expect to be prevalent in the future, so you can protect yourself appropriately.
