The Microsoft Digital Defense Report 2025 finds that over half of cyberattacks with known motives in the past year were driven by extortion or ransomware, underscoring a decisive tilt toward financially motivated crime over classic espionage. The report, authored by CVP Amy Hogan‑Burney with CISO Igor Tsyganskiy, covers July 2024 through June 2025 and frames the threat landscape as increasingly opportunistic, automated, and AI‑accelerated.
Headline stats
In 80% of incidents Microsoft investigated, attackers sought to steal data, reinforcing profit as the primary motive rather than intelligence gathering. Espionage-only operations represented just 4% of cases with known motives, while at least 52% were tied to extortion or ransomware, confirming the dominance of financially driven attacks.
Scale of Microsoft’s visibility
Microsoft reports processing more than 100 trillion security signals daily, blocking about 4.5 million net new malware files each day, analyzing 38 million identity risk detections, and screening roughly 5 billion emails for malware and phishing on an average day. This telemetry underpins the company’s conclusions about attacker focus areas and the defensive controls most likely to reduce risk quickly.
“Signing in,” not breaking in
More than 97% of identity attacks are password attacks, and identity-based attacks surged 32% in the first half of 2025, driven by credential leaks and a spike in infostealer malware that harvests credentials and session tokens at scale. Microsoft highlights that phishing-resistant MFA can stop over 99% of these attacks even if an adversary has valid credentials, making it the single highest‑impact control to deploy broadly and fast.
Critical sectors under pressure
Hospitals, local governments, and other public services remain prime targets because operational urgency, sensitive data, and tight budgets amplify the impact of disruption and the likelihood of ransom payment, causing real-world harms like delayed emergency care and canceled classes. Ransomware crews exploit these pressures, rapidly encrypting systems to force difficult choices under time-sensitive conditions.
Nation-state activity
China continues wide-ranging data theft and espionage, accelerating its exploitation of newly disclosed vulnerabilities and probing NGOs to expand insights beyond government channels, according to Microsoft’s tracking. Iran has broadened its targeting from the Middle East to North America and recently hit shipping and logistics firms in Europe and the Persian Gulf, likely pre‑positioning for possible interference with commercial operations.
Russia, while fixated on the war in Ukraine, is increasingly targeting small businesses in NATO countries as lower-resourced pivot points into larger organizations, reflecting a 25% increase in affected NATO countries year over year outside Ukraine. North Korea remains focused on revenue and espionage, including state-affiliated remote IT workers applying for jobs worldwide and, when exposed, turning to extortion to generate funds for the regime.
AI on both sides
Attackers are using AI to automate phishing, craft synthetic media, accelerate vulnerability discovery, and generate adaptive malware, increasing both volume and believability of campaigns. Defenders are also leveraging AI to close detection gaps, flag suspicious identity activity earlier, and raise the overall cost and complexity for attackers, with Microsoft urging organizations to secure their AI systems and train teams accordingly.
Microsoft actions and guidance
Microsoft’s Digital Crimes Unit helped disrupt the Lumma Stealer ecosystem in May alongside the U.S. Department of Justice and Europol, targeting a key infostealer supply line for credential theft at scale. The company reiterates its Secure Future Initiative commitments and stresses that legacy defenses are no longer sufficient, calling for modern, AI‑assisted protection and deeper collaboration across industry and government.
What organizations should do now
Adopt phishing-resistant MFA everywhere, especially for admins and high-risk roles, to block over 99% of identity-based attacks and reduce the blast radius of credential leaks and infostealers. Modernize legacy tooling, segment critical workloads, and monitor identity signals continuously while securing emerging AI systems and educating staff to counter evolving social engineering and deepfake risks.
Discover more from Microsoft News Now
Subscribe to get the latest posts sent to your email.
