Cybersecurity , Finance & Banking , Government
Microsoft Reports 600 Million Cyberattacks per Day
Findings From the Tech Giant's Defense Report 2024 Flag Expanding Threat LandscapeThe cyberthreat landscape continues to be "dangerous and complex," putting everyone - organizations, users and devices - at risk anywhere and anytime, warned Microsoft in its annual Digital Defense report 2024.
The tech giant's customers face more than 600 million cyberattacks every day, targeting individuals, corporations and critical infrastructure. This surge in cyberthreats is fueled by the convergence of cybercriminal and nation-state activities and accelerated by advances in technologies including artificial intelligence.
Microsoft monitored more than 78 trillion signals per day to capture activity from nearly 1,500 tracked threat actor groups, including 600 nation-state groups. The report identified an expanding threat landscape dominated by multifaceted attack types, including phishing, ransomware, DDoS attacks and identity-based intrusions.
"If cybercrime were a country, it would have the third-largest GDP, growing faster than India's economy," said Irina Ghose, managing director, Microsoft India. Global cybercrime costs are projected to reach $10.5 trillion annually by 2025. By comparison, Germany - the world's third-largest economy - has a GDP of $4.59 trillion.
Surge in Password-Based Attacks and MFA Evasion Techniques
Despite widespread adoption of multifactor authentication, password-based attacks remain a dominant cyberthreat, making up more than 99% of all identity-related cyber incidents.
Password spraying, breach replays and brute force attacks remain primary methods, exploiting users who select weak passwords or reuse credentials across platforms. Microsoft said it blocked an average of 7,000 password attacks per second.
While organizations implementing MFA experienced 80% fewer compromises than those relying on password-only authentication, attackers may be one step ahead. Adversary-in-the-middle, or AiTM, phishing attacks rose 146% in 2024, enabling attackers to deceive users into completing MFA on their behalf, bypassing MFA protections.
Token theft, which involves stealing tokens post-authentication to gain unauthorized access without triggering MFA, reached an estimated 39,000 incidents daily. Although fewer than password-based attacks, token thefts reflect a critical evolution in identity compromise tactics, pushing defenders to enhance security monitoring, adopt token protection and incorporate continuous access evaluation as adaptive countermeasures.
Blurred Lines Between Nation State Actors and Cybercriminals
Nation state groups are increasingly enlisting cybercriminal groups and using them as proxies to fund operations, carry out espionage and attack critical infrastructure. Two-thirds of observed nation-state attacks targeted the U.S., Israel, Taiwan, Ukraine and the United Arab Emirates, Microsoft said, highlighting hotspots of geopolitical interest and conflict.
"Cybercrime has continued to mature as a robust and elaborate ecosystem, with cybercriminal groups utilizing a full spectrum of tools and techniques, including those learned, borrowed or stolen from nation-state actors," said Igor Tsyganskiy, CISO, Microsoft.
Russia, China, Iran and North Korea are among the primary actors in this space, using cyber tactics as part of larger influence operations. In 2024, Russian-affiliated cyber groups infiltrated Ukraine's networks using tools such as XWorm and Remcos RAT malware, while Iranian actors conducted influence operations in the U.S. and Israel using AI-generated personas to stoke political unrest. The UN estimates North Korean hackers have stolen more than $3 billion in cryptocurrency since 2017, reportedly financing over half of their nuclear and missile programs.
"These state-sponsored hackers are not just stealing data, but launching ransomware, prepositioning backdoors for future destruction, sabotaging operations and conducting influence campaigns," said Tom Burt, corporate vice president, customer security and trust, Microsoft.
Critical infrastructure bore the brunt of major attacks due to factors including the upcoming U.S. elections and the ongoing Ukraine-Russia and Israel-Hamas war. The most affected sectors include government, education and research - targeted not only for data theft but also to undermine stability and spread influence. Education institutions, in particular, serve as testing grounds for advanced phishing tactics including QR code phishing, later weaponized against broader targets.
Ransomware Isn't Going Anywhere
Ransomware remained one of the most serious cybersecurity concerns in 2024, evolving from a financially motivated crime to a sophisticated geopolitical tool wielded by nation-state actors. FakePenny, linked to a new North Korean actor, targeted aerospace and defense organizations after extracting data from their networks.
The report noted a 2.75 fold year-over-year increase in human-operated ransomware attacks, where attackers targeted at least one device within a network for infiltration. Unlike automated attacks, human-operated ransomware involved manual actions by attackers to disable defenses, extract data and deploy ransomware for maximum impact.
Microsoft identified Akira, LockBit, Play, BlackCat and Black Basta as the most active ransomware groups, accounting for 51% of human-operated ransomware encounters, with long-standing tactics that continue to yield results despite increased global cybersecurity awareness.
Although ransomware encounters are rising, the percentage of organizations ultimately ransomed - where encryption and data lockout occur - decreased more than threefold over the past two years.
Key Actions for Enterprises
- Financially motivated actors such as Octo Tempest and Storm-0539 exploit weak configurations in cloud environments, bypassing MFA. Microsoft recommends organizations to exclude unmanaged devices from the network and enhance monitoring for cloud identity infrastructure.
- AI-powered tools using machine learning for threat detection to anticipate potential attack patterns can help mitigate threats from AI-enabled malware. AI enables faster threat triage, which enhances organization's defensive stance against sophisticated attacks.
- Layered security, including endpoint detection and response, solutions provide tamper protection features that can help prevent attackers from disabling security settings.
- In light of rising AiTM phishing and token theft incidents, organizations need to transition to passwordless solutions. The report recommends adopting phishing-resistant MFA alternatives, such as FIDO2-compliant passkeys.
- Defenders must consider using threat-informed defense apps to view critical assets from an adversary's perspective, helping map out and secure potential attack paths to these "crown jewels."
- The report underscored the urgency for unified, proactive measures to reduce the volume of cyberthreats. Effective deterrence will require both technological and geopolitical strategies - achievable through two key approaches: preventing intrusions and imposing meaningful consequences.