Microsoft Digital Defense Report 2025 - Microsoft

Microsoft Digital Defense Report 2025 This year’s Microsoft Digital Defense Report (MDDR) showcases the scale and sophistication of today’s cyber threats, the impact of emerging technologies on those threats, and the strategies that leaders, governments, and defenders can use to defend against them. Read the full report Read the government executive summary SHARE Our unique vantage point Microsoft’s global presence—spanning billions of users, millions of organizations, and a vast network of partners—provides us with an unparalleled perspective on the cybersecurity threat landscape. 100 trillion 100 trillion security signals processed daily 4.5 million 4.5 million net new malware file blocks every day 38 million 38 million identity risk detections analyzed in an average day 15,000+ 15,000 partners in our security ecosystem, making it one of the largest in the world 34,000 34,000 full-time equivalent security engineers employed worldwide 5 billion 5 billion emails screened daily on average to protect users from malware and phishing Top recommendations from MDDR 2025 Based on the insights in our 2025 report, we share expert recommendations to help organizations and governments proactively address today’s evolving cyber risks. Now is the time to take action. Invest in people, not just tools Build in resilience Understand risks and benefits of AI Transition to quantum safety Defend your perimeter Collaborate across sectors Cyber threats: Worldwide customer impact Most cyberattacks in 2025 were concentrated in particular countries. The United States (US), the United Kingdom (UK), Israel, and Germany were the leading targets of cyberattacks. Explore this interactive map to see how the most impacted countries compare to others in their region when it comes to cyber threats. Source: Microsoft Threat Intelligence This map pulls from data on how frequently customers are targeted by malicious activity in each country. The most impacted countries are compared to other countries in their region, both as a percentage of regional activity and a rank of regional activity. Microsoft Digital Defense Report Overview Threat landscape Cybercrime Cybercrime economy Artificial Intelligence AI: Threat and tool Nation-state Nation-state threat actors Additional report topics Read the full report LinkedIn Instagram X MDDR 2025 REPORT OVERVIEW Threat landscape overview Over the past year, threat actors quickly developed new techniques to circumvent cyber defenses, from AI-automated phishing to multi-stage attack chains. At the same time, most threats targeted known security gaps, such as web assets and remote services, with threat actors exploiting these vulnerabilities at a faster pace than ever before. Attacks by sector Most cyberattacks targeted industries with vast amounts of sensitive data, including government agencies and research and academia. Below are the sectors most impacted by cyber threats in 2025. Source: Microsoft Threat Intelligence Source: Microsoft Threat Intelligence Attack motivations Attacks are by and large financially motivated: extortion, ransomware, and data theft are primary attack motivations. Espionage accounts for only 4% of attacks. Below are the most common motivations behind cyberattacks, when identifiable. Source: Microsoft Incident Response Source: Microsoft Incident Response MDDR 2025 REPORT CYBERCRIME Cybercrime economy The cybercrime economy is an increasingly specialized and intricate ecosystem made up of access brokers, ransomware operators, and data extortion groups. As financial incentives increase across the cybercrime-as-a-service (CaaS) model and international borders obscure criminal networks, it can be difficult for governments and organizations to disrupt the cybercrime economy. $10,000 vs $100,000 A security researcher may earn $10,000 for responsibly disclosing a vulnerability to a bug bounty program but may earn over $100,000 by selling the same exploit to a cyber mercenary. 97% 97% of identity attacks were password spray attacks. Even as more sophisticated tactics evolve, most identity attackers exploit the common problem of weak and overused passwords. Lumma Stealer Lumma Stealer was the most prevalent infostealer observed between October 2024 and October 2025. A sophisticated malware-as-a-service (MaaS) platform, Lumma Stealer can retrieve sensitive data from various browsers and applications, such as cryptocurrency wallets. This data is then sold to access brokers through dark web forums and Telegram channels. Ultimately, other cyber criminals like ransomware operators can use the data to access target networks. In mid-2025, Microsoft’s Digital Crimes Unit, working with the U.S. Department of Justice, Europol, and Japan’s Cybercrime Control Center, carried out a landmark disruption operation against Lumma Stealer. Over 2,300 malicious domains were seized or blocked, cutting off Lumma’s infrastructure and redirecting infected devices away from criminal control. Source: Lumma pre-disruption data, Microsoft Digital Crimes Unit Source: Lumma pre-disruption data, Microsoft Digital Crimes Unit Read case study Enable cross-border legal operations Policymakers should promote harmonized cross-border legal frameworks, tools, and tactics to enable faster cybercrime disruptions. MDDR 2025 REPORT AI AI: A tool, threat, and vulnerability Both adversaries and defenders are using AI to make their operations more effective and efficient, rendering the technology a cybersecurity risk and tool at once. AI and defenders AI in threat analysis AI models can scan vast amounts of threat intelligence data to detect early warning signs, helping defenders disrupt attacks before they escalate. AI for identifying gaps AI can compare known threats with existing protections, revealing vulnerabilities and directing security resources. Automated response AI agents can act within seconds of a suspected threat, suspending accounts, initiating password resets, and notifying administrators. AI and adversaries AI as a vulnerability Attackers are compromising improperly secured AI workloads through prompt-based attacks and supply chain exploits, tricking models into executing unauthorized actions. Deepfake fraud Synthetic media–such as voice cloning and deepfake videos–target multinational companies and government organizations, gaining access to sensitive information and costing millions. Automated attacks AI agents could allow threat actors to automate the entire attack lifecycle through chain reconnaissance, vulnerability scanning, and exploitation at scale. Invest in AI research and development Governments should invest in research and development projects that specifically apply AI to cybersecurity technology. Storm-2139: A tale of AI abuse In July 2024, Microsoft uncovered a global network exploiting stolen API keys to bypass AI safety controls and generate abusive AI-generated images. Using content provenance tools and open-source intelligence, the DCU traced the operation and referred the criminals to governments. Read case study MDDR 2025 REPORT NATION-STATE Nation-state threat actors In 2025, nation-state threat actors evolved their cyber and influence operations with more advanced, targeted, and scalable tactics. They rapidly adopted AI to produce automatic and largescale influence campaigns. Nation-state actors remain focused on intelligence collection and public perception manipulation, shaping conflict narratives and flooding the information space with synthetic media to desensitize audiences and exhaust detection systems. Sectors most targeted by nation-state actors: IT, research and academia, government, think tanks, and non-governmental organizations. Observed nation-state activity count per country Certain countries face disproportionate levels of nation-state activity. This is a regional breakdown of countries that receive the most frequent adversary attacks. Source: Microsoft Threat Intelligence nation-state notification data Source: Microsoft Threat Intelligence nation-state notification data Signal red lines and impose diverse consequences for nation-state cyberattacks States should make clear that malicious nation-state cyber activity will result in increasingly severe consequences. These responses can include a range of options, from economic measures and diplomatic sanctions to targeted declassification and public shaming. Detecting North Korean foreign IT workers operating as nation-state actors North Korea places thousands of remote workers at unwitting companies every year to generate revenue and gain access to sensitive intellectual property. Workers are branching into new sectors and job types. Microsoft tracks this remote work activity and provides guidance on how to monitor and remediate this problem. Read case study MDDR 2025 REPORT Additional report topics Take a deeper dive into the 2025 Microsoft Digital Defense Report. Navigate to specific sections of the report below. Introduction Introductory statement by Amy Hogan-Burney and Igor Tsyganskiy About this report Our unique vantage point Top 10 recommendations from this report Part I. The threat landscape Key takeaways How threat actors are shaping the cyber risk environment Identity, access, and the cybercrime economy Human-operated attacks and ransomware Fraud and social engineering Social engineering exploits Cloud threat trends Nation-state adversary threats AI’s double-edge influence: Defending and disrupting the digital landscape Quantum technologies: Strategic priority in a new era of competiton Part II. The defense landscape Key takeaways: Insights and actions for cyber defense AI and advanced defense Countering nation-state and emerging threats Policy, capacity, and future readiness Strategic vision and global commitments Beyond our report Read the executive summary for CISOs Read more about cybersecurity Learn about our cybersecurity programs Discover more Microsoft reports Cybersecurity for customers