NTSC Blog

Microsoft Digital Defense Report 2023: Ten Essential Insights

11/08/2023 Reading time: 8 min

As details from the Microsoft Digital Defense Report 2023 reveal, cyberthreats continue to grow in sophistication, speed, and scale, compromising an ever-growing pool of services, devices, and users. As we confront these challenges and prepare for a future where AI can help level the playing field, it’s imperative to act decisively on each of these ten insights.

Microsoft’s unique vantage point

As a company committed to making the world a safer place, Microsoft has invested heavily in security research, innovation, and the global security community. We have access to a diverse range of security data which puts us in a unique position to understand the state of cybersecurity and to identify indicators that can help predict the next moves of attackers.

As part of our longstanding commitment to create a safer world, Microsoft’s investments in security research, innovation, and the global security community include:

#1: Basic security hygiene still protects against 99% of attacks

The vast majority of successful cyberattacks could be thwarted by implementing a few fundamental security hygiene practices. Using the hyper-scale cloud makes it easier to implement them by either enabling them by default or abstracting the need for customers to implement them.

Fundamentals of cyber hygiene

Enable MFA: This protects against compromised user passwords and helps provide extra resilience for identities.

Apply Zero Trust principles: The cornerstone of any resilience plan is to limit the impact of an attack. These principles are: (1) Explicitly verify. Ensure users and devices are in a good state before allowing access to resources. (2) Use least privilege access. Allow only the privilege needed to access a resource and no more. (3) Assume breach. Assume system defenses have been breached and systems may be compromised. This means constantly monitoring the environment for possible attack.

Use extended detection and response (XDR) and antimalware: Implement software to detect and automatically block attacks and provide insights to the security operations software. Monitoring insights from threat detection systems is essential to being able to quickly respond to cyberthreats.

Keep up to date: Attackers take advantage of unpatched and out- of-date systems. Ensure all systems are kept up to date including firmware, the operating system, and applications.

Protect data: Knowing your important data, where it is located, and whether the right defenses are implemented is crucial to implementing appropriate protection.

#2: Human-operated ransomware attacks increasing

Microsoft’s telemetry indicates an increased rate of ransomware attacks compared with last year, with human-operated ransomware attacks tripling since September 2022. Going forward, we expect ransomware operators will seek to leverage automation, AI, and hyperscale cloud systems to scale and maximize the effectiveness of their attacks.

The ransomware landscape

Ransomware elimination and the Foundational Five

We have identified five foundational principles which we believe every enterprise should implement to defend against ransomware across identity, data, and endpoints.

  1. Modern authentication with phish-resistant credentials
  2. Least Privileged Access applied to the entire technology stack
  3. Threat- and risk-free environments
  4. Posture management for compliance and the health of devices, services, and assets
  5. Automatic cloud backup and file-syncing for user and business-critical data

#3: Password attacks dramatically rise

Microsoft Entra data reveals a more than tenfold increase in attempted password attacks when compared with the same period from a year ago. One way to deter would-be attackers is to use non-phishable credentials such as Windows Hello for Business or FIDO keys.


Did you know?

One of the main reasons password attacks are so prevalent is due to a low security posture. Many organizations have not enabled MFA for their users, leaving them vulnerable to phishing, credential stuffing, and brute force attacks.

#4: Business Email Compromise (BEC) at an all-time high

Threat actors are adapting their social engineering techniques and use of technology to carry out more sophisticated and costly BEC attacks. Microsoft’s Digital Crimes Unit believes increased intelligence sharing across the public and private sectors will enable a faster and more impactful response to BEC.

Did you know?

The Microsoft Digital Crimes Unit has taken a proactive stance by actively tracking and monitoring 14 DDoS-for-hire sites, including one situated in the dark web, as part of its commitment to identifying potential cyberthreats and remaining ahead of cybercriminals.

#5: Nation-state threat actors’ global target set expands

Nation-state actors have increased the global scope of their cyber operations as part of information gathering. Organizations involved in critical infrastructure, education, and policymaking were among the most targeted, in line with many groups’ geopolitical goals and espionage-focused remits. Steps to detect possible espionage-related breaches include monitoring changes to mailboxes and permissions.

The most targeted nations by region* were:


*Fuller data breakdown can be found in the report

Did you know?

This year, Microsoft launched a new threat actor naming taxonomy. The new taxonomy will bring better clarity to customers and security researchers with a more organized and easy to use reference system for threat actors.

#6: Nation state actors mix influence operations with cyber attacks

Nation-state actors are more frequently employing influence operations alongside cyber operations to spread favored propaganda narratives, stoke social tensions, and amplify doubt and confusion. These operations are often carried out in the context of armed conflicts and national elections.

Russian state actors expanded their scope of activity beyond Ukraine to target Kyiv’s allies, principally NATO members.

China’s expanded and sophisticated activities reflect its dual pursuits of global influence and intelligence collection. Its targets include US defense and critical infrastructure, South China Sea nations, and Belt and Road Initiative partners.

Iran has expanded its cyber activities to Africa, Latin America, and Asia. Leaning heavily into influence operations, it has pushed narratives that seek to foment Shi’ite unrest in Gulf Arab countries and counter the normalization of Arab-Israeli ties.

North Korea has increased the sophistication of its cyber operations in the last year, especially in cryptocurrency theft and supply chain attacks.

Did you know?

While AI-generated profile pictures have long been a feature of state-sponsored influence operations, the use of more sophisticated AI tools to create more striking multimedia content is a trend we expect to persist with the wider availability of such technologies.

#7: IoT/OT devices increasingly at risk

Attackers have increasingly targeted the highly vulnerability of information technology and operational technology (IT-OT), which can be difficult to defend. For example, of the 78% of internet of things (IoT) devices with known vulnerabilities on customer networks, 46% cannot be patched. A robust OT patch management system is therefore an essential component of cybersecurity strategy, while network monitoring in OT environments may help detect malicious activity.

Did you know?

25% of OT devices on customer networks use unsupported operating systems, making them more susceptible to cyberattacks due to a lack of essential updates and protection against evolving cyberthreats.

#8: AI and large language models (LLMs) will transform cybersecurity

AI can enhance cybersecurity by automating and augmenting cybersecurity tasks, enabling defenders to detect hidden patterns and behaviors. LLMs can contribute to threat intelligence; incident response and recovery; monitoring and detection; testing and validation; education; and security, governance, risk and compliance.

Microsoft’s researchers and applied scientists are exploring many scenarios for LLM application in cyber defense, such as:

Did you know?

Microsoft’s AI Red Team of interdisciplinary experts is helping build a future of safer AI. Our AI Red Team emulates the tactics, techniques, and procedures (TTP) of real-world adversaries to identify risks, uncover blind spots, validate assumptions, and improve the overall security posture of AI systems.

Learn more about Microsoft’s red teaming for AI at Microsoft AI Red Team building future of safer AI | Microsoft Security Blog.

#9: Collaboration can reduce cybercrime and protect the integrity of digital services

As cyberthreats evolve, public-private collaboration will be key to improve collective knowledge, drive resilience, and inform mitigation guidance across the security ecosystem. For example, this year, Microsoft, Fortra LLC, and Health-ISAC worked together to reduce cybercriminal infrastructure for the illicit use of Cobalt Strike. This has resulted in a reduction of this infrastructure by 50% in the United States.

Did you know?

The global Cybercrime Atlas brings together a diverse community of more than 40 private and public sector members to centralize knowledge sharing, collaboration, and research on cybercrime. The goal is to disrupt cybercriminals by providing intelligence that facilitates actions by law enforcement and the private sector, leading to arrests and the dismantling of criminal infrastructures.

#10: The future requires more cybersecurity professionals

The global shortage of cybersecurity and AI professionals can only be addressed through strategic partnerships between educational institutions, nonprofit organizations, governments, and businesses. Since AI may help relieve some of this burden, the development of AI skills is a top priority for company training strategies.

For more threat intelligence insights and guidance, visit Microsoft Security Insider.