Microsoft Digital Defense Report

10 essential insights from the Microsoft Digital Defense Report 2024

A pink and white swirl on a purple background with white dots.

Microsoft's unique perspective shapes top 10 cybersecurity insights

The 2024 Microsoft Digital Defense Report, which surveys the complex, challenging, and increasingly dangerous cyberthreat landscape, is made possible by Microsoft's unique perspective on the evolving cybersecurity environment.

Our expansive presence in the digital ecosystem allows us to process over 78 trillion security signals daily, providing unparalleled insights into global cyber threats. This vantage point is enriched by our collaboration with 15,000 specialized partners and the expertise of 34,000 full-time-equivalent engineers dedicated to security initiatives.

We monitor over 1,500 unique threat groups, including both nation-state actors and cybercrime groups. Our comprehensive Microsoft Digital Defense Report examines key trends and emerging challenges. Based on the latest analysis in this report, we have identified ten significant highlights and have created a simplified Top 10 Insights that provides a concise summary of the most important considerations for 2024.

Despite a 2.75x increase in ransomware-linked encounters, attacks reaching the encryption stage have decreased threefold over two years due to automatic attack disruption. Of those attacks that did progress to the ransom stage, over 90% used unmanaged devices as their initial access point or for remote encryption. This is often because these devices lack proper security measures.

Key Takeaway: Organizations must prioritize managing all network-connected devices to prevent ransomware attacks. Enrolling devices into management systems or excluding unmanaged ones is essential. Additionally, strengthening defenses against social engineering and patching vulnerabilities can further protect networks from initial access attempts.

Ransomware encounters increased (Jul '22-Jun '24), while ransom payments decreased. Dual-axis graph shows encounters peaking>5000 orgs (Apr '24) via bar graph, and payments declining threefold via overlaid line graph. Data: 0-6000 encounters (left), 0-100% payments (right).

2024 Microsoft Digital Defense Report, Microsoft, Page 27.

Techscam traffic has skyrocketed since 2021, surpassing the growth of malware and phishing activities. Most techscams originate from malicious ad platforms, exploiting users through fake support services, fraudulent cryptocurrency schemes, and deceptive browser extensions.

Key Takeaway: To help protect against techscams, organizations can implement blocklists for known malicious domains and continuously update them can help stay ahead of evolving scam tactics. Additionally, leveraging AI detection models and client-side signals can improve the speed and efficiency of identifying and neutralizing techscam threats.

Bar chart showing daily malicious traffic volume (in millions) for tech scams, malware, and phishing, comparing 2021, 2022, and 2023. Tech scams saw the largest volume, increasing from 5M (2021) to 8M (2022) and 12M (2023). Malware and phishing remained relatively low, with slight increases across the years.

2024 Microsoft Digital Defense Report, Microsoft, Page 37.

Password-based attacks dominate identity threats, exploiting predictable human behaviors like weak passwords and reuse. While multifactor authentication adoption is rising to 41%, attackers are shifting tactics, targeting infrastructure and employing adversary-in-the-middle (AiTM) phishing attacks and token theft.

Key Takeaway: Transition to phishing-resistant, passwordless authentication methods like passkeys. Enhance monitoring with AI-driven threat detection and ensure access only from managed devices. Secure your identity infrastructure by governing permissions and retiring unused applications.

Diagram showing identity attack types. Over 99% are password-based (breach replay, password spray, phishing), relying on predictable human behaviors. Less than 1% are MFA attacks (SIM swapping, MFA fatigue, AiTM) or post-authentication attacks (token theft, consent phishing).

2024 Microsoft Digital Defense Report, Microsoft, Pages 39-41.

This year, state-affiliated threat actors have blurred lines by using criminal tools and tactics. North Korean hackers have stolen over $3 billion in cryptocurrency since 2017, funding state initiatives like nuclear programs. Microsoft identified active North Korean threat actor groups targeting cryptocurrency and deploying ransomware, demonstrating the growing collaboration between nation-state threat actors and cybercriminals. Microsoft also observed blurred line behavior from Iranian and Russian threat actor groups.

Key Takeaway: Organizations must enhance defenses against both nation-state threat actors and cybercriminal threats. Implementing robust cybersecurity measures, monitoring for advanced persistent threats, and staying informed about evolving tactics can help mitigate risks from these sophisticated actors.

Split-screen visualization: Left panel lists North Korean threat actor groups (Citrine Sleet, Jade Sleet, Sapphire Sleet) with Microsoft's threat actor taxonomy icon; Right panel displays '$3 billion in cryptocurrency stolen by North Korean hackers since 2017'

2024 Microsoft Digital Defense Report, Microsoft, Page 17.

In 2024, the education and research sector became the second most targeted by nation-state threat actors. These institutions offer valuable intelligence and frequently serve as testing grounds for new attack techniques, such as QR code phishing, which was widely used against them starting in August 2023.

Key Takeaway: Educational and research institutions must strengthen cybersecurity measures to protect sensitive information. Implementing robust email security, educating staff and students on phishing tactics, and monitoring for unusual activity can help mitigate these threats.

Chart showing Education & Research as the 2nd most targeted sector globally (21%) in 2024. Top targeted sectors: IT (24%), Government (12%), Think Tanks/NGOs (5%), Transportation (5%), Consumer Retail (5%), Finance (5%), Manufacturing (4%), Communications (4%), Others (16%). Nation-state actors target IT for supply chain attacks. Source: Microsoft Threat Intelligence

2024 Microsoft Digital Defense Report, Microsoft, Page 12.

Nation-state threat actors are increasingly leveraging AI to enhance their cyber influence operations, using AI-generated content to boost productivity and engagement. While the impact has been limited so far, the potential for AI to significantly amplify these campaigns is evident. China leads with AI-generated imagery targeting elections, Russia focuses on audio manipulations, and Iran is gradually integrating AI into its strategies.

Key Takeaway: Organizations and governments must bolster defenses against AI-enhanced cyber influence operations by investing in AI-driven detection systems and improving digital literacy. International collaboration is crucial to establish norms regulating AI use in cyber influence campaigns, helping ensure protection against misinformation and safeguard democratic processes.

Comparison of China, Russia, & Iran's use of AI in influence operations (2024 examples). China/Russia show high capability in image/audio-video, medium/low in text. Iran shows medium/low capability in image, low in text/audio-video. Examples: China's AI cartoon, Russia's AI audio doc, Iran's AI missile launch video.

2024 Microsoft Digital Defense Report, Microsoft, Pages 91-93.

As AI becomes integral to cybersecurity, governments worldwide are pursuing different policy approaches to encourage the safe and responsible development, deployment, and use of AI. Red teaming—simulating adversarial attacks to identify vulnerabilities—is emerging as a key practice. This proactive approach helps address potential threats before they can be exploited by malicious actors.

Key Takeaway: Organizations should incorporate red teaming into their AI security protocols to uncover and mitigate vulnerabilities early. By simulating real-world attack scenarios, they can strengthen their defenses and ensure the safe deployment of AI technologies. Collaboration with government initiatives and adherence to evolving regulatory frameworks will further enhance AI security.

2024 Microsoft Digital Defense Report, Microsoft, Page 101.

Born from the urgent need to defend against sophisticated cyberattacks, the Secure Future Initiative (SFI) has led Microsoft to remove 730,000 non-compliant apps and 5.75 million inactive tenants, significantly reducing potential attack surfaces. This initiative highlights the importance of addressing technical debt and shadow IT in a rapidly evolving threat landscape.

Key Takeaway: Organizations should adopt proactive measures by regularly auditing systems and eliminating unused or non-compliant applications and tenants. Embracing Zero Trust principles and maintaining a comprehensive asset inventory are crucial steps in fortifying security defenses and preparing for future threats.

Security framework diagram: "Secure by Design | Secure by Default | Secure Operations" within a continuous improvement cycle. Includes security culture & governance, paved path standards, and six core functions: protect identities/secrets, tenants/production, network, engineering systems; monitor/detect threats; accelerate response/remediation.

2024 Microsoft Digital Defense Report, Microsoft, Pages 55-56.

Developed in response to the increasing complexity of cyber threats, the hierarchy of cybersecurity needs offers a structured approach to prioritizing security efforts. Inspired by Maslow’s model, it starts with identity protection as the foundation and builds through endpoint security, digital asset protection, threat detection, and automation. This layered strategy ensures comprehensive coverage and resilience against threats.

Key Takeaway: By following this hierarchy, organizations can systematically address vulnerabilities, starting with the most critical areas. Emphasizing identity protection and leveraging AI to enhance each layer will strengthen overall security posture and improve the ability to respond to evolving cyber threats.

“Hierarchy of cybersecurity needs” pyramid (base to peak): Protect Identities, Protect Endpoints, Secure Digital Assets, Detect & Remediate Threats, Automate Security Operations. AI integration and security culture are emphasized throughout. Prioritize from the base upward.

2024 Microsoft Digital Defense Report, Microsoft, Pages 57-60.

As cyber threats grow more complex, collaboration between governments and industries is crucial. Initiatives like North Atlantic Treaty Organization’s (NATO) Defense Innovation Accelerator for the North Atlantic (DIANA) and the Roundtable for AI, Security, and Ethics (RAISE) highlight the importance of joint efforts in enhancing digital defense capabilities. These partnerships focus on standardization, interoperability, and ethical AI governance to bolster national and global security.

Key Takeaway: Organizations should engage in collaborative efforts with government bodies and industry partners to strengthen cybersecurity measures. By participating in collective defense initiatives and adhering to international standards, they can enhance their resilience against evolving cyber threats and contribute to global stability.

A woman sitting in a chair holding a microphone.

2024 Microsoft Digital Defense Report, Microsoft, Pages 77-78.

AI Cybercrime

Microsoft Digital Defense Report 2024

The 2024 edition of the Microsoft Digital Defense Report examines the evolving cyber threats from nation-state threat groups and cybercriminal actors, provides new insights and guidance to enhance resilience and strengthen defenses, and explores generative AI's growing impact on cybersecurity.

Learn More

US Healthcare at risk: Strengthening resiliency against ransomware attacks

When ransomware strikes healthcare, the prognosis can be grim: delayed treatments, compromised medical devices, and most importantly patient care at risk. Discover how to protect against these attacks and safeguard both patient safety and hospital operations.

Learn More

Education under siege

Study up on the cybersecurity challenges facing the education sector. Discover why education has become the third most-targeted industry for cyberattacks and learn what IT and security professionals in the education sector can do to help create safer environments.

Learn more