Microsoft Digital Defense Report 2024

Background

Microsoft faces over 600 million daily attacks, including ransomware, phishing, and identity breaches.

In the past year, cyber threats have grown more dangerous and sophisticated, with better-resourced attackers challenging top defenders. Both targeted and opportunistic attacks pose universal risks to organizations and users.

Cyberattacks are escalating, jeopardizing human health. In the US this fiscal year, 389 healthcare institutions were hit by ransomware, causing network closures and delays in critical operations. Nation-states are increasingly aggressive, using advanced techniques to steal data, launch ransomware, sabotage operations, and conduct influence campaigns.

We must enhance our cyber defences at all levels and reduce attack volumes through deterrence. Effective cybersecurity requires industry efforts and government action to impose consequences on attackers. This challenge demands a commitment from all stakeholders to robust cyber defence foundations beyond basic hygiene measures.

While recent efforts have focused on developing international cybersecurity norms, these lack effective deterrence, leading to increased nation-state attacks and rampant cybercrime. Cybercriminals continue their activities with impunity due to the challenges of cross-border law enforcement and safe havens provided by some governments. Despite a pessimistic short-term outlook, there is optimism on the horizon.

The Microsoft Digital Defense Report explores the role of AI in cybersecurity, addressing emerging threats and defence strategies. The government’s responses to AI advancements are examined, highlighting that AI-powered cybersecurity can offer defenders a significant advantage against attackers in the near future.

A Unique Vantage Point

The depth and breadth of Microsoft’s presence in the digital ecosystem offers a unique perspective that we share in this report.

Here are some data points:

• 78 trillion security signals per day inform our insights
• 34,000 full-time dedicated security engineers
• 15,000 partners with specialized security expertise

The evolving threat Landscape

Ransomware remains one of the most serious cybersecurity concerns.

Among its customers, Microsoft observed a 2.75x increase year over year in human-operated ransomware-linked encounters (defined as having at least one device targeted for a ransomware attack in a network).

Meanwhile, the percentage of attacks reaching the actual encryption phase has decreased threefold over the past two years. Automatic attack disruption contributed to this positive trend in decreasing successful attacks.

In more than 90% of cases where attacks progressed to the ransom stage, the attacker had leveraged unmanaged devices in the network, either to gain initial access or to remotely encrypt assets at the impact stage.

The ever-growing threat of cyber-enabled financial fraud

Cyber-enabled financial fraud covers a range of fraudulent activities facilitated by the internet, including investment scams, BEC, and tech support scams.

According to the FBI, losses due to investment scams have surpassed all other online fraud types, accounting for more than $4.5 billion US in losses in 2023 alone.

Teams at Microsoft, LinkedIn, and Skype are advancing efforts to detect such criminal activities proactively, and Microsoft suspended upwards of 64 million abusive service accounts in 2023. They are also working with industry and law enforcement partners to disrupt these actors in the real world. In addition, we are currently working with law enforcement partners to improve intelligence exchange on cyber threats to dismantle criminal operations.

Cybercriminals are leveraging the growing cybercrime-as-a-service (CaaS) ecosystem as well as AI technologies to launch phishing and social engineering attacks at scale. Simultaneously, they are increasingly evading security measures like multifactor authentication (MFA) to conduct targeted attacks.

As a result, the battle against cyber-enabled financial fraud requires a multi-faceted response. Enhancing cooperation and strengthening detection and prevention measures are key areas of focus. Public awareness, vigilance, and the facilitation of fraud reporting are also vital components in preventing these crimes and mitigating their impact.

Phishing remains a perennial cybersecurity threat.

According to TrendMicro, phishing attacks increased by 58% in 2023, with an estimated financial impact of $3.5 billion US in 2024.

Threat actors continue to use longstanding and new TTPs to access targets, but a growing concern this year is the misuse of legitimate web services and tools for phishing deployment.

Software-as-a-Service (SaaS)-based email, developer tools, captcha services, cloud storage, click tracking, marketing platforms, customer survey platforms, lesser-known email clients, and backup and mass emailing tools have all been weaponized for a range of malicious activities.

One of the key advantages of using these services is that they can evade detection systems because they are less likely to be preemptively blocked due to their established levels of trust and legitimate usage. Additionally, many phishing campaigns combine the use of multiple legitimate services simultaneously, complicating the detection process for both human analysts and automated systems.

• 775 million email messages contained malware (July 2023-June 2024)

Business email compromise (BEC) remains a prevalent threat, with inbox rule manipulation the favoured method.

Inbox rule manipulation: A new variation has emerged involving manipulation through API/App usage. Instead of using the usual “New-InboxRule” or “Set-InboxRule” commands, the attackers now use “UpdateInboxRules”. This approach allows them to redirect emails with keywords related to credentials or financial matters to less monitored folders like Spam, Conversation History, or Deleted Items, hiding their fraudulent activity from the user’s immediate view.

BEC lateral phishing: After compromising an account, attackers aim to move laterally within the organization, targeting multiple users to either gain access to high-privilege accounts or trick users into paying fake invoices. This is achieved by sending phishing emails to other users within the organization.

Conversation hijacking: The attacker compromises the sender’s email account and injects themselves into an existing email thread using a similar-looking account, keeping the sender’s display name unchanged. The hijacked account domain is usually newly created for financially motivated scams to lure users.

Insights on identity attacks and trends

As organizations move to the cloud and adopt SaaS applications, identities are becoming increasingly crucial for accessing resources.

Cybercriminals exploit legitimate and authorized identities to steal confidential data and access credentials in various ways, such as through phishing, malware, data breaches, brute-force/password spray attacks, and prior compromises.

As in past years, password-based attacks on users constitute most identity-related attacks, supported by a massive infrastructure that threat actors have dedicated to combing the digital world for passwords.

Microsoft Entra data shows that of more than 600 million identity attacks per day, more than 99% are password-based. Advances such as default security configurations and Conditional Access policies have helped more organizations embrace multifactor authentication (MFA), increasing adoption to 41% among Microsoft enterprise customers.

However, as MFA blocks most password-based attacks, threat actors are shifting their focus, moving up the cyberattack chain in three ways:

• Attacking infrastructure
• Bypassing authentication
• Exploiting applications

Helpdesk social engineering

Microsoft has observed an uptick in threat actors contacting helpdesks, impersonating a user to obtain a password reset or register a new MFA device.

In the last year, more than half of all Microsoft Incident Response engagements attributed to Octo Tempest were able to be tracked back to helpdesk social engineering. Helpdesks have begun to counter this by requiring further levels of verification, such as video calls. Still, as noted in the report, the rise of deepfakes will enable a threat actor to impersonate the voice, image, and video of a victim, making even this identity verification avenue more difficult.

Threat actors such as Octo Tempest have also been observed communicating directly with senior executives and other individuals involved in an investigation as part of their extortion campaign or in an effort to gain access to credentials. In cases where extortion is part of the attack, threat actors may also use text messages to pressure victims into paying.

Download the full Report: https://go.microsoft.com/fwlink/?linkid=2290930&clcid=0x409&culture=en-us&country=us