Microsoft Digital

Defense Report 2024

The foundations and new
frontiers of cybersecurity

A Microsoft Threat Intelligence report

 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 1

In this report Fraud

Landscape and trends
31
31
Resilience maturity

Supporting the ecosystem

66

67
How governments and industries
are advancing global AI security 101

Phishing 34 Government approaches to AI security 101

The passkey journey: a story
Impersonation 36 of collaboration across the industry 67 Collaborative policy initiatives for AI security 104

Overview Critical environments 69 International standards for AI security 105

Identity and social engineering 39
About this report 02 Staying a step ahead of threat actors
Insights on identity attacks and trends 39 Collective action 77
in the age of AI 106
Introduction by Tom Burt 03 Identity attacks in perspective 41 The digital transformation of
defense and a call for partnership 77 Appendix
Our unique vantage point 05 Security to the max: the optimal mindset
for security professionals 42 How Microsoft helps support democratic elections 79
Cybersecurity at Microsoft: the CISO’s perspective 07 References 108
Social engineering “next generation” 44 3 Early insights: AI’s impact on cybersecurity Contributing teams 110
1 The evolving cyber threat landscape
Stormy skies: the rise of cloud identity compromise 47
Key developments 83
Key developments 09
DDoS attacks 50 Cyber Point of View stories
Introduction 84
Introduction 10
DDoS: Stealthier threats emerge 50
Understanding how generative AI systems work 85
Japan 16
Threat actors and motivations 11 Attack landscape 50
Two key insights 86
Australia 23
Nation-state threats 12 A new threat: Application loop attacks 50
Emerging threat landscape 87 Israel 30
Nation-state threat activity by the numbers 12
2 Centering our organizations on security The generative AI threat landscape 87
Blurring lines between nation-state Canada 49
threat actors and cybercriminals 17 Key developments 54 Sophisticated AI-enabled human targeting 89
India 52
The many faces of hybrid war 18 Introduction 55 Emerging techniques in AI-enabled attacks 90
Sweden 59
Deterring the most advanced threats 22 Nation-state threat actors using
Secure Future Initiative 56 Latin America 65
AI for influence operations 91
Election interference 24
Strategic approaches to cybersecurity: France 68
“Managing your own house” 57 AI for defense 94
Ransomware 27
Africa 73
Data security 57 Harnessing AI to detect cyberattacks 95
Landscape and trends 27
AI’s early impact on the security operations center 96 United Kingdom 81
How cybercriminals are tampering Hierarchy of cybersecurity needs 60
with security products 28 Seven areas of efficiencies in Microsoft Albania 103
Threat-informed defense 61
security operations 97
Octo Tempest: a case study and a cautionary tale 29
Optimizing governance and accountability 63
Using generative AI to understand
Disrupting ransomware threat actors 30 Security incident decisions: cyberattacks and create tailored mitigations 99
Dispatches from the field 64
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 2

About this report Introduction Our unique vantage point Cybersecurity at Microsoft

About this report

Report scope We advocate for strong global privacy and data ▪ Influence operations (IO): The coordinated,
The data, insights, and events in this report represent
protection laws requiring companies, including ours, integrated, and synchronized application of Our commitment to developing
July 2023 through June 2024 (Microsoft fiscal year
to only collect and use personal data in responsible, national diplomatic, informational, military, technology responsibly
accountable ways. economic, and other capabilities in peacetime,
2024), unless otherwise noted. As we design, build, and release AI products,
crisis, conflict, and post conflict to foster attitudes,
Threat actor terminology used in this report six values—transparency, accountability,
Please note that due to rounding, the percentages in behaviors, or decisions by foreign target audiences
fairness, inclusiveness, reliability and safety, and
some charts may not total 100%. ▪ Nation-state threat attacks/operations: that further nation-state interests and objectives.
privacy and security—remain our foundation
Relevant discussion from the 2023 edition of the Malicious cyberattacks that originate from a ▪ Cyber-enabled influence operations: and guide our work every day.
Microsoft Digital Defense Report is referenced in this particular country and are an attempt to further Operations which combine offensive computer
report. You can access the 2023 report in the archive that country’s interests. These attacks are network operations with messaging and
section at aka.ms/MDDR. often fueled by geopolitical competition and a amplification in a coordinated and manipulative
desire to gain an advantage over other nations. fashion to shift perceptions, behaviors, or Links
Report viewing and navigating Common objectives include stealing intellectual decisions by target audiences to further Microsoft Privacy Statement
There are links in the headers and table of contents property for economic benefit or supporting a group or a nation’s interests and objectives.
traditional espionage. Microsoft EU Data Boundary Overview |
for easy navigation throughout the report.
Key information Microsoft Trust Center
▪ Cybercriminal activity: Cybercriminals are
For easier viewing and navigating through the
typically motivated by financial gain. They may Throughout this document look out for features Empowering responsible AI practices |
report on certain browsers, we suggest using
use similar tools and tactics as nation-state threat offering insights and detail from Microsoft experts. Microsoft AI
Adobe Reader, which is available for free on the
actors, such as bespoke malware, password spray Responsible AI Transparency Report | May 2024
Adobe website. Look out for highlighted text like this and the
infrastructure, and phishing or social engineering
Actionable Insights sections:
Our commitment to preserving privacy campaigns. However, their primary goal is to
profit from their activities, rather than to further a
Any and all data included in this report is presented
nation’s geopolitical objectives. Actionable Insights
in alignment to our privacy principles. Microsoft is
committed to its focus on preserving customers’ ▪ Cyber operations: An overarching term referring
control over their data and their ability to make to all computer network operations, from
informed choices that protect their privacy. computer network defense to computer network
attacks, and to computer network exploitation.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 3

About this report Introduction Our unique vantage point Cybersecurity at Microsoft

Complex, challenging, and increasingly dangerous

The new cyber threat landscape: an introduction by Tom Burt

In the last year, the cyber threat landscape continued These cyberattacks are continuing at a breathtaking We have to find a way to stem the tide of this
“We all can, and must, do better, to become more dangerous and complex. scale, and as they increasingly put human health malicious cyber activity. We all can, and must, do
at risk, the stakes for stopping them couldn’t ’ better, hardening our digital domains to protect
hardening our digital domains to The malign actors of the world are becoming
be higher. In the US alone this fiscal year, 389 our networks, data, and people at all levels.
better resourced and better prepared, with
protect our networks, data, and healthcare institutions were successfully hit by This challenge will not be accomplished solely by
increasingly sophisticated tactics, techniques,
people at all levels.” and tools that challenge even the world’s ’ best
ransomware, resulting in network closures, systems -
executing a well-known checklist of cyber hygiene
offline, critical medical operations delayed, and measures but through a focus on and commitment
cybersecurity defenders.
appointments rescheduled. Worse, the increased to the foundations of cyber defense from the
Because these actors conduct both targeted and risk of cyberattacks is no longer limited to civilian individual user level to the executive level.
opportunistic attacks, the threat they present is cybercriminals. Nation-states are becoming more
However, improved defense will not be enough.
universal, meaning organizations, users, and devices -
aggressive in the cyber domain, with ever-growing
The sheer volume of attacks must be reduced
are at risk anywhere, anytime. Even Microsoft has levels of technical sophistication that reflect
through effective deterrence, and while the industry
-
been the victim of well-orchestrated attacks by increased investment in resources and training.
must do more to deny the efforts of attackers via
-
determined and well-resourced adversaries, and our These state-sponsored hackers are not just stealing
better cybersecurity, this needs to be paired with
customers face more than 600 million cybercriminal data, but launching ransomware, prepositioning
government action to impose consequences that
and nation-state attacks every day, ranging from backdoors for future destruction, sabotaging
further discourage the most harmful cyberattacks.
ransomware to phishing to identity attacks. operations, and conducting influence campaigns.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 4

Introduction by Tom Burt continued About this report Introduction Our unique vantage point Cybersecurity at Microsoft

While in recent years a great deal of attention has This year we will also share how Microsoft is
been given to the development of international responding to the significant attacks on our
norms of conduct in cyberspace, those norms corporate infrastructure. This includes details of our
so far lack meaningful consequence for their Secure Future Initiative and how we are orchestrating
violation, and nation-state attacks have been a company-wide
- initiative to make security our top
undeterred, increasing in volume and aggression. corporate priority. We hope that these learnings will
Cybercriminals similarly continue to attack with help others think through their own security posture
impunity, knowing that law enforcement is and approach to cyber defense.
hampered by the challenges of investigation and
Microsoft is proud to deliver the Microsoft
-
prosecution of cross-border crime, and often
Digital Defense Report, now in its fifth edition,
operating from within apparent safe havens where
as part of our commitment to helping the world
government authorities turn a blind eye to the
understand and mitigate cyber threats. We believe
malicious activity.
transparency and information-sharing
- are essential
While the immediate outlook is pessimistic, there to the protection of the global cyber ecosystem.
are changes on the near horizon that provide cause Communicating the insights that we derive from our
for optimism. In this year’s
’ Microsoft Digital Defense unique vantage point is one of the many ways we
Report, we dive deeper into the subject of AI in work to make the cyber world a safer place.
cybersecurity. We explore the associated emerging
As our CEO, Satya Nadella, has said: “This is a
threats and defense strategies, as well as examine
consequential time.” We stand on the frontier of
the responses of governments around the world to
-
an AI-empowered world. It is up to us, however,
this rapidly evolving technology. And although we
to leverage AI most effectively. In the tug-of-
- -
must anticipate the use of AI by attackers, advances
war between attackers and defenders in which
in AI-powered
- cybersecurity should give defenders
the attackers currently have an advantage, it
an asymmetric advantage in the near future.
will take conscientiousness and commitment by
both the public and private sectors to ensure the
defenders win.
Tom Burt
Corporate Vice President,
Customer Security and Trust
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 5

About this report Introduction Our unique vantage point Cybersecurity at Microsoft

Our unique vantage point

78 trillion
The depth and breadth of Microsoft’s Yet our understanding of the threat landscape is Finally, the impact of AI is notable throughout
presence in the digital ecosystem offers more than just data. It is informed by the expertise our vantage point. Security researchers and
of our employees: threat hunters are seeing AI transform the threat
a unique perspective that we share in
landscape. However, Microsoft’s recent investment security signals per day inform our insights
this report. ▪ Threat intelligence and geopolitical experts,
in AI technologies reflects confidence in the benefits
tracking cybercriminal and nation-state
these tools can provide, including a perspective that
Our expansive, global vantage point gives us insight threat actors.

34,000
exceeds human processing capacity.
into key trends in cybersecurity that affect everyone ▪ Security researchers, software architects, and
from individuals to nations. engineers, responding to new threats and adding Microsoft is proud of its commitment to
new security features for protection. cybersecurity and organizational resilience. As we
We process more than 78 trillion security signals per celebrate our 50th year, we have gained valuable
day, from billions of Windows endpoints, the cloud, ▪ Analysts, internal auditors, and risk specialists, full-time dedicated security engineers
insights from past challenges. We are keen to
and a broad spectrum of products and services. maintaining operational compliance within
share best practices that include maintaining and
From these signals we gain visibility into attack a complex system of cybersecurity and

15,000
enhancing the right security culture, addressing
activity, a unique understanding of emerging attack privacy regulations.
technical debt associated with a longstanding
techniques, and deeper insights about the overall ▪ Incident responders, who “run to the fire” in corporate history, and investing in a secure future.
threat landscape. support of customers.
This spectrum of security signals is further enhanced ▪ Security advisors, working with customers across partners with specialized security expertise
by the diversity of our customers and partners, the spectrum of cybersecurity.
including governments, enterprises large and small, ▪ Investigators, analysts, and legal teams who work
consumers, and gamers. globally to disrupt borderless criminal networks,
and align public policy objectives in support of
Microsoft’s commitment to supporting the cloud
digital international norms on cyberpeace.
across infrastructure, platform, application, and
multi-cloud scenarios complements the diversity of ▪ Microsoft executives, who are directly
a large ecosystem of partners and suppliers which accountable for (and have their compensation
geometrically expands the richness of the data we tied to) the achievement of these
use to understand the threat landscape. security objectives.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 6

About this report Introduction Our unique vantage point Cybersecurity at Microsoft

Our presence in the Society | Microsoft Stakeholders | Microsoft Customers

digital ecosystem
positions us to Microsoft’s unique vantage point
observe key trends
in cybersecurity. Microsoft serves billions of customers
globally, allowing us to aggregate security
Microsoft’s perspectives data from a broad and diverse spectrum of Microsoft’s cybersecurity approach
on cybersecurity companies, organizations, and consumers.
Microsoft security investments
An extra 13 trillion
are framed through security signals per day
▪ AI Red Teams ▪ Responsible AI

50 years of experience 2023: 65 trillion, 2024: 78 trillion

▪ Defending Democracy ▪ Security Engineering
▪ Detection and Response ▪ Security Operations
and insight. from the cloud, endpoints, software tools, ▪ Digital Crimes ▪ Threat Analysis Technical
and partner ecosystem, to understand
▪ Digital Safety ▪ Threat debt
and protect against digital threats and
▪ Incident Response Intelligence
criminal cyberactivity.
▪ National Security Nation-state AI as
1,500 unique threat ▪ Physical Security actors a threat
groups tracked ▪ Public Awareness
Microsoft Threat Intelligence now tracks more and Education Current and
—
than 1,500 unique threat groups—including
emerging threats
more than 600 nation-state threat actor 34,000 dedicated
groups, 300 cybercrime groups, 200 influence
security engineers Supply chain
operations groups, and hundreds of others. Cybercriminals
-
focused full-time on the largest and ecosystem
cybersecurity engineering project
in the history of digital technology. Conflicting regulatory
requirements
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 7

About this report Introduction Our unique vantage point Cybersecurity at Microsoft

Cybersecurity at Microsoft: the CISO’s perspective

This edition of the Microsoft Digital Defense Report Given ever-changing geopolitical conditions, the To protect Microsoft, our partners, and customers Every one of us at Microsoft shares a deep
comes to you at a time when the cybersecurity world will face many such attacks in the future, from future attacks, we dramatically grew our teams responsibility to do our part to keep the world safe
threat landscape has intensified for every and Microsoft must also adjust to face these dedicated to monitoring of and responding to and secure. As part of that commitment, we are
sector around the world. Microsoft, like many threats. We have taken major steps over the past threats. And we reassigned roughly 34,000 full-time collaborating closely with security experts, industry
organizations, has become a primary target, and year in fortifying assets across the company to equivalent engineers to security initiatives. This is an groups, and organizations like yours that face these
most notable is the dramatic increase in repeated, better prevent and defend against such threats. important sampling of the many steps we have taken threats every day. Please read on to learn more
sophisticated, and brazen attacks by cybercriminals The cornerstone of our work to protect Microsoft, since the beginning of this year—with much more about the evolving threat landscape and how we are
and nation-state attackers alike. our partners, and customers is the Secure Future work in progress. committed to making the world safer for everyone.
Initiative1 (SFI), which dedicates the entire company
In January 2024 I took on the role of Microsoft To increase the agility of Microsoft’s response to Igor Tsyganskiy
to putting security above all other considerations.
Chief Information Security Officer (CISO). this ever-changing threat environment, I instituted Chief Information Security Officer
Immediately thereafter, we discovered we were As Satya Nadella, Microsoft’s CEO, said in a an Office of the CISO and have hired a number
under a massive cyberattack by the threat actor company-wide announcement, “Security is a team of Deputy CISOs. Our Deputy CISOs work with
we refer to as Midnight Blizzard. The subsequent sport, and accelerating SFI isn’t just job number one our major product groups and programs to drive
days are some I remember vividly. Every available for our security teams—it’s everyone’s top priority greater depth and rigor in cybersecurity governance
resource across the company was utilized in our and our customers’ greatest need.” Everyone at across the entire company and to direct SFI at the
defense against this attack—a monumental effort Microsoft is committed to making our products and most pressing security risks. The Deputy CISOs take
that required speed, focus, and expertise. As I services secure by design, secure by default, and responsibility for risk ownership and accountability,
was directing our response, my priority became operationally secure. determining the needed security architecture,
defending Microsoft and scaling our agility to face and providing input to me on each business unit’s
Among the most significant mitigations and actions
future nation-state attacks. A large portion of our progress toward our SFI goals. Based on the ongoing
we have taken is a significantly expanded SFI to
third-party ecosystem was involved in this defense SFI work—and with input from the Deputy CISOs
improve our defense posture. We made phishing-
as well. —I provide regular updates on existing risk and SFI
resistant multifactor authentication (MFA) mandatory
performance to Microsoft’s Senior Leadership Team
across the company, and we increased the
and Board of Directors.
robustness of Microsoft’s corporate network.
Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 8

Chapter 1
Key developments 9

The evolving cyber Introduction

Threat actors and motivations

10

11
threat landscape Nation-state
- threats 12

Ransomware 27
How have trends and Fraud 31
tactics changed? Identity and social engineering 39

Distributed denial of service (DDoS) attacks 50

Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 9

Introduction -
Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

-
Blurred lines between nation-state The need to impose deterrent -
2.75x increase in human-operated
threat actor activity and cybercrime consequences for cyber -
ransomware-linked encounters
Key developments Nation-state threat actors are conducting
aggression By disabling or tampering with defenses,
operations for financial gain and enlisting The pace of nation-state sponsored attackers buy themselves time to install
The evolving cyber the aid of cybercriminals and commodity cyberattacks has escalated malicious tools, exfiltrate data for
threat landscape malware to collect intelligence. to the point that there is now
effectively constant combat in
espionage or extortion, and potentially
launch attacks like ransomware.
Find out more on p17.
As with any landscape, things change over cyberspace without any meaningful
Find out more on p27.
time. In the world of cybersecurity, however, consequences to the attacker.
the pace of change has been astounding. Find out more on p22.
Observations over the past year have
reaffirmed the convergence of nation-state Ingenuity and scalability of
and cybercriminal threat activity. Nation-- 600 million identity attacks fraud tactics surging globally
state threat actors used cybercrime as a The many faces of hybrid war per day Cyber fraud not only presents a theft
force multiplier, while financially motivated Threat actors serving Russia and Iran are risk, but it undermines the security,
As multifactor authentication blocks
cybercriminals pursued levels of defense leaning into cyber and influence operations trust, and reputation of individuals,
most password-based attacks, threat
evasion and technical complexity once elusive as tools to advance political and military businesses, and organizations of
actors are shifting their focus.
outside of nation-state operations. objectives in wartime. all sizes and types, in every region
Find out more on p39.
We have also seen rapid shifts in the tactics and industry.
Find out more on p18.
C
-
of hybrid war, wide-ranging attempts to
Find out more on p31.
interfere in democratic elections, and a surge
-
in ransomware attacks and cyber-enabled -
Nation-state influence operations
financial fraud across the globe. converge on elections
These trends underscore the ongoing By the end of 2024, 2 billion people
necessity to enhance and implement robust will have had the opportunity to vote B

deterrence and mitigation strategies to in nationwide elections. Russia, Iran,

counter these threats effectively. and China all engaged in election
influence efforts globally in 2024.
A
Find out more on p24.
 Microsoft Digital Defense Digital
Microsoft ReportDefense
2024 Overview TheOverview
Report 2023 evolving cyber threat
Nation landscape
state Centering our Fraud
threats Ransomware organizations
Identityon&security Early insights: AI’s impact on cybersecurity
Social engineering Appendix 10

Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

Introduction: The evolving landscape of cybersecurity

As we reflect on this past year, it is more apparent As Microsoft continues to take steps to protect As we look to the future, the dawning of the age of
“As we look to the future, that the lines that once divided cybercrime, nation- ourselves and our customers through our Secure AI means cybersecurity professionals will encounter
state sponsored attacks, and influence operations Future Initiative, we encourage all organizations both new opportunities and new challenges.
the dawning of the age have continued to blur. Cybercrime has continued to commit to the foundational security principles Cybercriminal groups, nation-state threat actors, and
of AI means cybersecurity to mature as a robust and elaborate ecosystem, of secure by design, secure by default, and secure other adversaries are exploring AI technologies to
professionals will encounter with cybercriminal groups utilizing a full spectrum operations. By collectively working toward these understand whether and how to leverage them in
both new opportunities and of tools and techniques, including those learned, fundamental security concepts, defenders can the course of operations. We as defenders must also
borrowed, or stolen from nation-state actors. reduce the attack surface across the broader explore and test these AI technologies, not only to
new challenges.” While these cybercriminals are evolving their technology landscape. understand how they can be used by adversaries,
tooling and targeting to evade defenders, many of but how we can use them to strengthen our security,
At the same time, we have seen influence operations
their underlying techniques and behaviors remain protection, and response.
change and increase globally at an unprecedented
unchanged due to their continued effectiveness.
scale as nation-states seek to sway public perception Amy Hogan-Burney
Meanwhile, nation-state actors remain committed to
and sentiment, sow discord, and undermine trust Vice President and Deputy General Counsel
pursuing new levels of sophistication. This includes
in public institutions. In particular, governments Customer Security and Trust,
creating unique tooling, upskilling their capabilities,
have used geopolitical issues such as the Russia- Cybersecurity Policy & Protection Unit
and targeting major technology providers—like
Ukraine conflict and the Israel-Hamas war to spread
Microsoft—and enterprise supply chains. John Lambert
divisive and misleading messages. At a time when
Corporate Vice President, Security Fellow,
Defenders can proactively combat threats from the world is grappling with an overwhelming influx
Microsoft Threat Intelligence Center
both cybercriminal and nation-state actors by of information delivered through both formal
addressing them at the technique layer. This means and informal channels, the issue of combatting
implementing and enforcing policies and tooling, misinformation is becoming increasingly vital.
such as enhanced multifactor authentication (MFA)
and attack surface reduction rules. At the same
time, as the threat landscape evolves, securing
identities, hardening endpoints, and protecting the
cloud infrastructure has become more important
than ever.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 11

Introduction Nation-state
- threats Ransomware Fraud Identity and social engineering DDoS attacks

Threat actors and motivations

In this report, we discuss 30 different threat actors to provide examples of activity for a better understanding of attack targets, techniques, and motivations. Microsoft categorizes these actors
using a weather-related naming system. For example, “Flood” refers to actors who engage in influence operations. The actors included in this year’s report demonstrated significant activity and
effectiveness from July 2023 through June 2024. In the chart below, we map some of the motivations tracked over the past five years, to show how these actors often have multiple motivations
driving their operations. It’s important to note that the threat landscape is vast, and the threat actors and motivations detailed here represent only a small portion of those tracked by Microsoft.
KEY TO
MOTIVATIONS MAPPING
Nation-state actors Influence Operations Cryptocurrency theft C
Cyber operators acting on behalf of or directed Information campaigns or groups employing Cybercrime services CS
by a nation-state-aligned program, irrespective of communications online or offline in a manipulative
whether for espionage, financial gain, or retribution. fashion to shift perceptions, behaviors, or decisions Data destruction Dd

by target audiences to further a group or a nation’s Data theft for profit Dt

Russia China interests and objectives.

Disruption D

Election influence Ei

Aqua Blizzard E Flax Typhoon Dt E Ruza Flood Ei I Espionage E

Midnight Blizzard E Granite Typhoon Dt E Sefid Flood Ei E I Influence operations I

Seashell Dd D Ei Nylon Typhoon E Taizi Flood Ei I Ransomware/Extortion R

Blizzard E I R Raspberry Typhoon Dt E Volga Flood Ei I

Secret Blizzard E

Groups in development
A temporary designation given to unknown, emerging, or developing threat activity.
North Korea Iran Financially motivated This designation allows Microsoft to track a group as a discrete set of information until
Cyber campaigns or groups directed by a criminal we reach high confidence about the origin or identity of the actor behind the operation.
Citrine Sleet C Dt Cotton Dd Dt D organization or person with motivations of financial gain
Sandstorm and are not associated with high confidence to a known Storm–0501 Dt R Storm–1101 CS
Ei E I R
Jade Sleet C Dt
non-nation-state or commercial entity. Storm–0539 Dt Storm–1516 Ei I
Moonstone Mint
E R Ei E R
Sleet Sandstorm Storm–0593 E Storm–1575 D

Octo Tempest C Dt R Storm–0784 D R Storm–1679 I

Sapphire Sleet C Dt
Storm–0842 Dd D Ei I R Storm–2049 E

Storm–0867 CS

For more information on threat actor naming, please visit https://aka.ms/threatactors

 Microsoft Digital Defense Digital
Microsoft ReportDefense
2024 Overview TheOverview
Report 2023 evolving cyber threat
Nation landscape
state Centering our Fraud
threats Ransomware organizations
Identityon&security Early insights: AI’s impact on cybersecurity
Social engineering Appendix 12

Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

Nation-state threats

Nation-state threat The United States is consistently among the

countries most impacted by the nation-state cyber Top 10 targeted sectors worldwide
The Education and Research sector
activity by the numbers threat activity that Microsoft observes, a reflection became the second most targeted
of the large US representation in our customer base by nation-state threat actors
This past year, nation-state affiliated threat actors and the role the United States plays in research and
once again demonstrated that cyber operations— In 2024, Education and Research became the
development and geopolitical events. Aside from 1 2 3 4 5 6 7 8 9 10
whether for espionage, destruction, or influence— second most targeted sector by nation-state
the United States and the United Kingdom—which
play a persistent supporting role in broader threat actors. Sector Percentage
was the fifth most targeted nation this year—most
geopolitical conflicts. In the wars in Europe and the of the nation-state affiliated cyber threat activity we In addition to offering intelligence such as
1 IT 24%
Middle East, Russia and Iran centered their threat observed was concentrated in sites of active military research and policy discussions, education and
activity on their main adversaries in those fights, conflict or heightened regional tension: Israel, research institutions are often used as testing 2 Education and Research 21%
Ukraine, and Israel, respectively. Meanwhile, Beijing’s Ukraine, the United Arab Emirates, and Taiwan. grounds by threat actors before they pursue 3 Government 12%
long-term focus on controlling Taiwan drove a high their actual targets. 4 Think tanks and NGOs 5%
level of targeting of Taiwan-based enterprises from
For example, QR code phishing, a technique 5 Transportation 5%
Chinese threat actors, who also penetrated the
now used widely to compromise user accounts
countries around the South China Sea to collect 6 Consumer Retail 5%
at scale and create an entry point for business
insights into military exercises and national policy.
email compromise (BEC) attacks discussed 7 Finance 5%
What follows is a snapshot of the activity by-the-
later in this chapter, became widely used in 8 Manufacturing 4%
numbers.
targeted attacks against this sector as early as
9 Communications 4%
August 2023.
1 0 All others 16%

Threat actors from Russia, China, Iran, and North Korea

pursued access to IT products and services, in part to
conduct supply chain attacks against government and
other sensitive organizations.
Source: Microsoft Threat Intelligence, nation-state notification data
 Observed
activity count

0
100
200
300
500
600

400
United States
Canada
Brazil
Peru

States
Argentina

Most targeted
United
& Caribbean
Colombia

Latin America
Mexico

North America,
Dominican Republic
Chile
Costa Rica
Israel
United Arab Emirates
Saudi Arabia
Türkiye

Israel
Iraq

Most targeted
North Africa

Jordan
Middle East &

Lebanon
Nation-state threat activity by the numbers continued
Microsoft Digital Defense Report 2024

Egypt
Iran
Regional sample of activity levels observed

Morocco
Kuwait
Bahrain
Overview

Qatar
Oman
Palestinian Authority
Syria
Ukraine
United Kingdom
Poland
Introduction

Germany
Europe &

France
Most targeted
Central Asia

Ukraine
Spain
Russia
Italy
Azerbaijan
Belgium
Netherlands
Switzerland
Albania
Norway
The evolving cyber threat landscape

Sweden
Nation-state threat actor targeting

Greece
Cyprus
Kazakhstan
Austria
Kyrgyzstan
Denmark
Nation-state threats Ransomware

Hungary
Georgia
Czechia
Portugal
Fraud

Romania
Ireland
Lithuania
Uzbekistan
Bulgaria
Luxembourg
Armenia
Serbia
Centering our organizations on security

Estonia
Latvia
Slovakia
Finland
Tajikistan
Turkmenistan
Moldova
Bosnia and Herzegovina
Identity and social engineering

Taiwan
South Korea
India
Hong Kong SAR
& Pacific
East Asia

China
Most targeted
South Asia,

Taiwan

Australia
Thailand
DDoS attacks

Japan
Singapore
Indonesia
Pakistan
Malaysia
Early insights: AI’s impact on cybersecurity

Philippines
Vietnam
Afghanistan
Nepal
Papua New Guinea
Mongolia
Appendix

New Zealand
Sri Lanka
Bangladesh
Myanmar
Cambodia
South Africa
Ethiopia
Africa

Angola
Kenya
Africa
South

Nigeria
Most targeted

Tanzania
Sub-Saharan

Mali
Namibia
Botswana
Source: Microsoft Threat Intelligence data
13
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 14

Nation-state threat activity by the numbers continued Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

Russia China
Nation-state threat actor activity Nation-state threat actor activity

Targeting by region Most targeted sectors Targeting by region Most targeted sectors

1 2 3 4 56 1 2 3 4 5 67 10 1 2 3 4 5 1 2 3 4 5 67 10
7 89 67 89

Sector Percentage Sector Percentage Sector Percentage Sector Percentage

1 Europe & Central Asia 68% 1 Government 33% 1 East Asia & Pacific 39% 1 IT 24%
2 North America 20% 2 IT 15% 2 North America 33% 2 Education and Research 22%
3 Middle East & North Africa 5% 3 Think tanks and NGOs 15% 3 Europe & Central Asia 12% 3 Government 20%
4 East Asia & Pacific 3% 4 Education and Research 9% 4 Latin America & Caribbean 8% 4 Think tanks and NGOs 10%
5 Latin America & Caribbean 3% 5 Inter-governmental organization 4% 5 South Asia 4% 5 Manufacturing 4%
6 South Asia 1% 6 Defense Industry 4% 6 Middle East & North Africa 2% 6 Defense Industry 3%
7 Sub-Saharan Africa 1% 7 Transportation 3% 7 Sub-Saharan Africa 2% 7 Communications 3%
8 Energy 2% 8 Finance 3%
9 Media 2% 9 Transportation 2%
10 All others 13% 10 All others 9%

Approximately 75% of targets were in Ukraine or a NATO Russian actors focused their targeting against European Chinese threat actors’ targeting efforts remain similar Most Chinese threat activity is for intelligence collection
member state, as Moscow seeks to collect intelligence and North American government agencies and think to the last few years in terms of geographies targeted purposes and was especially prevalent in ASEAN
on the West’s policies on the war. Ukraine remains the tanks, likely for intelligence collection related to the war and intensity of targeting per location. While numerous countries around the South China Sea. Granite Typhoon
country most targeted by Russian actors. in Ukraine. Actors like Midnight Blizzard also targeted threat actors target the United States across a wide and Raspberry Typhoon were the most active in the
the IT sector, suggesting it was in part planning supply- variety of sectors, targeting in Taiwan is largely limited to region, while Nylon Typhoon continued to target
chain attacks to gain access to these companies’ client’s one threat actor, Flax Typhoon. government and foreign affairs entities globally.
networks for follow-on operations.

Source: Microsoft Threat Intelligence nation-state notification data

 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 15

Nation-state threat activity by the numbers continued Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

Iran North Korea

Nation-state threat actor activity Nation-state threat actor activity

Targeting by region Most targeted sectors Targeting by region Most targeted sectors

1 2 3 4 56 1 2 3 4 5 6 789 10 1 2 3 4 56 1 2 3 4 5 6789 10
7 7

Sector Percentage Sector Percentage Sector Percentage Sector Percentage

1 Middle East & North Africa 53% 1 Education and Research 19% 1 North America 54% 1 IT 44%
2 North America 23% 2 IT 11% 2 East Asia & Pacific 18% 2 Education and Research 21%
3 Europe & Central Asia 12% 3 Government 7% 3 Europe & Central Asia 18% 3 Manufacturing 6%
4 South Asia 6% 4 Transportation 6% 4 Latin America & Caribbean 3% 4 Consumer Retail 5%
5 East Asia & Pacific 3% 5 Finance 4% 5 Middle East & North Africa 3% 5 Finance 5%
6 Latin America & Caribbean 2% 6 Communications 4% 6 South Asia 2% 6 Think tanks and NGOs 3%
7 Sub-Saharan Africa 1% 7 Energy 3% 7 Sub-Saharan Africa 2% 7 Communications 2%
8 Commercial Facilities 3% 8 Government 2%
9 Manufacturing 3% 9 Health 2%
10 All others 42% 10 All others 10%

Iran placed significant focus on Israel, especially after Iranian targeting focused on education, IT, and The United States remained the most heavily targeted North Korean threat actors targeted the IT sector the
the outbreak of the Israel-Hamas war. Iranian actors government as part of strategic intelligence collection. country by North Korean threat actors, but the United most, particularly to conduct increasingly sophisticated
continued to target the US and Gulf countries, Iranian actors often target the IT sector to gain access to Kingdom rose up the ranks this year to second place. software supply chain attacks. They also continued
including the UAE and Bahrain, in part because of their downstream customers, including those in government The “Other” category comprised 44 other countries to heavily target experts in the education sector for
normalization of ties with Israel and Tehran’s perception and the defense industrial base (DIB). “Other” includes targeted by North Korean threat actors. intelligence collection. The “Other” category comprised
that they are both enabling Israel’s war efforts. media and think tanks or NGOs, which Iran often targets seven other sectors.
to gain insights into dissidents, activists, and persons
who can impact policymaking.

Source: Microsoft Threat Intelligence nation-state notification data

 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 16

Nation-state threat activity by the numbers continued Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

Cyber Point of View: Japan

Japan is surrounded by three nation states backing Since adopting this new strategy, the government
threat actors who conduct extensive cyberattacks: has been aggressive in bolstering its cybersecurity
Russia, China, and North Korea. posture to protect the government, businesses, and
civil society. Notable initiatives include:
In recent years, Japanese entities from large
organizations to small companies downstream ▪ Directing the JSDF to establish a new Cyber
in the supply chain, have experienced large- Command with 20,000 personnel by 2027.
scale cyberattacks. Against this backdrop, its ▪ Elevating the Cabinet’s cybersecurity center
government revised its National Security Strategy2 (NISC) into a new government agency with more
in December 2022 to identify cybersecurity as a legal and regulatory authority on cybersecurity.
national security matter for the first time. The new
National Security Strategy also introduced Active Additionally, to strengthen the security of IT systems
Cyber Defense (ACD), a government initiative to and supply chain management, the government
preemptively counter significant cyberattack risks began operating an advanced certification system
that could raise national security concerns. for cloud (ISMAP)4 in 2022 for services and other
items to be employed in government information
Japan’s new Defense Whitepaper outlines systems. ISMAP is expected to expand its scope to
its cybersecurity measures the systems of critical infrastructure operators in
The 2024 edition of Japan’s Defense Whitepaper3 the future.
outlines comprehensive new measures to enhance
the cybersecurity of The Japan Self-Defense Forces
(SDF), including the development of the newly
established Cyber Command, the migration of the
JSDF’s IT systems to the cloud, the implementation
of advanced security architecture, and improved
cybersecurity for Japan’s defense industry.
The document also stresses the importance
of international cooperation with like-minded
countries and companies.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 17

Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

Blurring lines between North Korean threat actors have long straddled
this blurry line, conducting financially motivated
Beyond North Korea, Microsoft observed Iranian
nation-state threat actors seeking financial gain from
Between June-July 2023, Microsoft observed Federal
Security Service (FSB)-attributed Aqua Blizzard
nation-state threat actors operations to secure funding for state coffers some of their offensive cyber operations. This marks appear to “hand-off” access to 34 compromised
and priority initiatives. The UN estimates North a change from previous behavior, whereby Ukrainian devices to the cybercriminal group
and cybercriminals Korean hackers have stolen over $3 billion US in ransomware attacks that were designed to appear Storm-0593 (also known as Invisimole). The hand-off
cryptocurrency since 2017, with heists totaling financially motivated were actually destructive occurred when Aqua Blizzard invoked a Powershell
This year, state-affiliated threat actors increasingly
between $600 million and $1 billion US in 2023 attacks.7 For example, a cyber-enabled influence script that downloaded software from a Storm-
used criminal tools and tactics—and even criminals
alone.5 These stolen funds reportedly finance over operation run by an Islamic Revolutionary Guard 0593-controlled server. Storm-0593 then established
themselves—to advance their interests, blurring the
half of North Korea’s nuclear and missile programs.6 Corps (IRGC) group we track as Cotton Sandstorm command and control infrastructure and deployed
lines between nation-state backed malign activity
(also known as Emennet Pasargad) marketed stolen Cobalt Strike beacons on most of the devices for
and cybercriminal activity. Since 2023, Microsoft has identified three major
Israeli dating website data through two of its cyber follow-on activity. This beacon was configured
North Korean threat groups—Jade Sleet, Sapphire
Microsoft observed nation-state threat actors personas between September 2023 and February with the domain dashcloudew.uk, which Microsoft
Sleet, and Citrine Sleet—that have been particularly
conduct operations for financial gain, enlist 2024. The personas also offered to remove specific assesses Storm-0593 registered and used in a
active in targeting cryptocurrency organizations.
cybercriminals to collect intelligence on the individual profiles from their data repository for previous spear-phishing campaign against Ukrainian
Moreover, North Korea may also be getting into the
Ukrainian military, and make use of the same a fee. military machines last year, suggesting a pattern
ransomware game. Moonstone Sleet, a new North
infostealers, command and control frameworks, and by Storm-0593 of supporting state intelligence
Korean actor identified in May 2024, developed Meanwhile, Russian threat actors have integrated
other tools favored by the cybercriminal community. collection objectives.
a custom ransomware variant called FakePenny evermore commodity malware in their
which it deployed at organizations in aerospace and operations and appear to have outsourced some
defense after exfiltrating data from the impacted cyberespionage operations to criminal groups.
networks. This behavior suggests the actor had In June 2024, Storm-2049 (UAC-0184) used Xworm
objectives for both intelligence gathering and and Remcos RAT--commodity malware associated
monetization of its access. with criminal activity--to compromise at least 50
Ukrainian military devices. There was no obvious
cybercriminal use for this compromise, suggesting
the group was operating in support of Russian
government objectives.

$3 billion
in cryptocurrency stolen by North Korean
hackers since 2017
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 18

Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

The many faces Iran’s most targeted countries prior to Iran’s most targeted countries after the start of
of hybrid war the Israel-Hamas conflict (July–October 2023) the Israel-Hamas conflict (October 2023–June 2024)

The ongoing conflicts in Ukraine and the Middle United All others 27% United Arab Israel All others 29% United

50%
East illustrate how some countries are using both States 35% Emirates 20% States 10%
cyber approaches and influence campaigns to
further their goals. These activities extend beyond
the geographical boundaries of the conflict
zones, demonstrating the globalized nature of
hybrid warfare. United
Israel India 8% Arab Emirates

10%
How Iran is using cyber-enabled influence 8%
operations to degrade Israel
Following the outbreak of the Israel-Hamas
war, Iran surged its cyber, influence, and cyber- India 3%
enabled influence operations against Israel.
From October 7, 2023, to July 2024, nearly half of
the Iranian operations Microsoft observed targeted Following the outbreak of the Israel-Hamas war, Iranian threat actors surged their targeting of Israel.
Israeli companies. Source: Microsoft Threat Intelligence nation-state notification data

Iranian groups also expanded their cyber-enabled

influence operations beyond Israel, with a focus on Microsoft Threat Intelligence assesses that an IRGC Throughout the conflict, Iranian threat actors have The former impersonated Israeli activists critical
undermining international political, military, and unit known as Shahid Kaveh Group, which we track used cyber personas to broadcast and amplify of Israeli Prime Minister Benjamin Netanyahu’s
economic support for Israel’s military operations. as Storm-0784, was responsible for defacing a water their destructive attacks against Israeli enterprises, handling of the hostage situation while the
controller in Pennsylvania under the guise of a cyber trying to project power and aggrandize the impact latter tried to convince Arab-Israelis to violently
In November 2023, IRGC groups ran cyber-enabled persona called “CyberAv3ngers,” leaving a message of their cyber operations. Within two days of oppose Israeli authorities and protest in support
influence operations targeting US water controllers that Israeli-made systems are legal targets. Hamas’ attack on Israel, Iran stood up several new of Gazans. Microsoft Threat Intelligence assesses
made in Israel and Bahrain in retaliation for Bahrain’s influence operations. The influence actor Sefid Flood that Storm-0842, an Iranian Ministry of Intelligence
normalizing of ties with Israel.8 launched the online personas “Tears of War” and and Security (MOIS) unit, launched another cyber
“Hamsa1948.” persona, “KarMa,” the day after the war broke out,9
posing as Israelis seeking to remove Netanyahu
from office.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 19

The many faces of hybrid war continued Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

Iranian threat actors also began impersonating 1. USB-delivered worms: Aqua Blizzard—a Russian 2. Amadey Bot and torrents: FSB-affiliated Secret
partners after the war started. Microsoft assesses Federal Security Service (FSB)-affiliated actor Blizzard and GRU-affiliated Seashell Blizzard gain Midnight Blizzard’s
Cotton Sandstorm used the name and logo of that has targeted Ukraine-based entities since access to as many devices as possible before most targeted sectors
Hamas’s military wing, the al-Qassam Brigades, 2013— accessed 500-750 Ukraine-based devices pursuing devices of interest. Secret Blizzard
to spread false messaging about the hostages daily through the USB-delivery of a Windows has done this by commandeering third-party 1
in Gaza and send Israelis threatening messages. ShortCut file and a heavily obfuscated Powershell infections, like the multipurpose Amadey bots,10
Another Telegram channel that we assess was run or VBScript. The scripts establish command and to download a custom reconnaissance tool that
by the Iranian Ministry of Intelligence and Security control that facilitates theft of specified file types. helps operators decide whether to deploy their 6
5
(MOIS), which also used the al-Qassam Brigades Since wormable malware and malicious USBs first-stage backdoor. Seashell Blizzard offers
logo and threatened Israeli military personnel are hard to contain and can traverse to devices malicious, pirated versions of Microsoft software
and leaked their personal data. It remains unclear outside the scope of Aqua Blizzard’s operations, on torrents, often promoting them on Ukrainian
4
whether Iran acted with Hamas’s consent. there is increased risk that USBs and malware will file sharing websites to gain initial footholds
make their way onto networks outside of Ukraine in networks. 2
Russia’s wide-reaching tactics for spying and onto partner military systems.
on Ukraine’s military and its allies Midnight Blizzard threatens IT supply chain 3
Russian threat actors have focused on accessing and Russian threat actors are casting wide nets to
Daily count of Aqua Blizzard
stealing intelligence from Ukrainian warfighters and gain insights into Western organizations involved
malware detections
the international partners that supply them weapons. in policy, military, and humanitarian support to
The techniques employed have the potential 800 Ukraine. Midnight Blizzard attempted to gain access
Count of devices with detections

to cause unintended damage by posing risk to to IT firms in part for widespread, indiscriminate 1 IT & Communications (31%) 4 Inter-governmental
organization (7%)
computer networks globally. 600 access to systems. Historically, this actor exploits
the IT software and services supply chains to target 2 Government (29%) 5 Transportation (3%)
Since June 2023, threat actors associated with
400 downstream customers in government and other 3 Think tanks/NGOs (11%) 6 All others (19%)
Russian military intelligence (GRU) and the FSB
policy organizations in North America and Europe.11
have used at least two undisciplined approaches
to gain access to Ukrainian military and military- 200 Microsoft has been transparent about Midnight
adjacent devices: Blizzard’s efforts against our networks, and we were
0 not the only IT sector targets. Midnight Blizzard’s
Jun 24

Jun 25

Jun 26

Jun 27

Jun 28

Jun 29

Jun 30

Jul 01
history of supply chain compromises and
continued pursuit of IT organizations suggests
widespread compromise remains a major risk to
providers worldwide.
Source: Microsoft Threat Intelligence Source: Microsoft Threat Intelligence
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 20

The many faces of hybrid war continued Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

Operational technology (OT) systems are

at risk in hybrid warfare Distribution of internet-exposed Unitronics controllers communicating over PCOM protocol as of June 2024
Critical infrastructure is a key target of physical
strikes and cyberattacks in modern hybrid conflicts.
Since late 2023, Microsoft has observed an increase
in reports of attacks on internet-exposed, poorly
secured OT devices that control real-world critical
processes. As discussed in greater detail in previous
editions of this report, this is particularly concerning
given these systems often have inadequate security
practices, including being left unpatched, using
default passwords, or even no passwords at all.
Internet-exposed OT equipment in water and
wastewater systems (WWS) in the United States
were targeted in multiple attacks from October
2023 through June 2024 by different nation-backed
actors, including IRGC-affiliated CyberAv3ngers
(tracked at Microsoft as Storm-0784) and pro-
Russian hacktivists.12 CyberAv3ngers and the pro-
Russia Cyber Army of Russia group, conduct, claim,
or amplify attacks likely intended to intimidate
targeted nations into capitulating or ceasing support
for Israel and Ukraine, respectively.

Links
Onyx Sleet uses array of malware to gather
intelligence for North Korea | Jul 2024
Exploitation of Unitronics PLCs used in Water Programmable logic controllers are human-machine interfaces that automate and control physical processes and can be found in many industrial environments.
and Wastewater Systems | CISA | Nov 2023 As these devices are used in industrial environments and critical infrastructure, their current level of exposure leaves many critical infrastructure processes open to attack.
Source: Microsoft Defender Attack Surface Management, Microsoft Threat Intelligence
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 21

The many faces of hybrid war continued Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

Chinese threat actors target military

Chinese cyber threat activity in and around the South China Sea and IT entities in the South China Sea
China-based cyber actors Raspberry Typhoon, Flax
Typhoon, and Granite Typhoon have intensively
Most
targeted entities associated with IT, military, and
targeted
government interests around the South China Sea.

Nepal Hong Kong SAR The activity has particularly targeted countries within
Taiwan the Association of Southeast Asian Nations (ASEAN).
Raspberry Typhoon has been extremely active,
successfully infiltrating military and executive entities
India
in Indonesia and Malaysian maritime systems in the
Thailand
lead-up to a rare naval exercise involving Indonesia,
China, and the United States in June 2023. Similarly,
Flax Typhoon focused on entities linked to joint US-
Philippines military exercises. Since August 2023, Flax
Vietnam Typhoon has expanded its targets to include IT and
Philippines
government organizations in the Philippines, Hong
Cambodia Least Kong, India, and the United States.
targeted
Malaysia Since July 2023, Granite Typhoon has compromised
telecommunication networks in Indonesia, Malaysia,
the Philippines, Cambodia, and Taiwan. This group’s
activities highlight a sustained pattern of strategic
cyber engagements by Chinese state-affiliated actors
aimed at gathering intelligence and potentially
disrupting military activities in strategically important
areas like the South China Sea.

Indonesia
Source: Microsoft Threat Intelligence nation-state notification data
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 22

Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

Deterring the most I. Strengthen international norms and

diplomacy. Deterrence requires clear
▪ Uniformity: A single agency should handle public
attribution statements with a standard format
▪ Collective countermeasures: Governments
should embrace as lawful collective
advanced threats expectations around acceptable and detailing the incident, responsible parties, impact, countermeasures, multiple states imposing
unacceptable behavior. To that end, Microsoft evidence, rule violations, consequences, and any countermeasures in response to illegal cyber
As highlighted throughout this report, cyberattacks encourages governments to embrace: preventive measures. operations targeting any one of them.
are on the rise and the pace of nation-state
▪ New norms: The United Nations (UN) and other ▪ Contextualization: Public attributions should ▪ Clarify red lines: In line with the UN Charter’s
sponsored attacks has escalated to the point there is
forums should recognize cloud services and the also include any broader insights into the prohibition on “threat or use of force”, it should
now effectively constant combat in cyberspace.
information and communications technology threat actor’s activities to support more be explicitly stated that state-sponsored cyber
With more than 600 million attacks per day (ICT) supply chain as critical infrastructure that is comprehensive accountability. intrusions that could be used to damage or
targeting Microsoft customers alone, there must be off-limits to targeting. Moreover, states should be ▪ Collaboration: Coalition attributions by multiple interrupt critical civilian services constitute an
countervailing pressure to reduce the overall number expected to fulfill their due diligence obligations governments help substantiate and build unlawful threat of force and allow for more
of attacks online. Deterring this malign activity to address malicious activity originating from confidence in findings. Governments should significant consequences in response.
will require a robust combination of technological within their territories. also partner with the tech industry for further A more robust deterrent framework will help to
and geopolitical solutions. This deterrence can validation and with civil society groups to provide
▪ Multistakeholder inclusion: States should promote stability, protect critical infrastructure,
be achieved in two ways – by denial of intrusions further context around impact and harms
embrace more inclusive diplomatic processes that and avoid some of the most harmful cyberattacks.
or imposing consequences. While companies like of cyberattacks.
ensure participation of critical non-governmental To support this, governments should deepen
Microsoft can help “deny” successful cyberattacks
stakeholders in discussions on peace and security III. Impose deterrent consequences. The escalating partnerships across stakeholder groups to identify
via innovation and further improvements in
online, including leading voices from the tech volume of nation-state sponsored cyberattacks the essential critical infrastructure. Given the growing
cybersecurity, enforcing international rules with
industry and civil society. necessitates more decisive governmental significance of this technology, this should also
deterrent consequences must fall on governments.
▪ Bilateral agreements: In addition to working action that stems the growth. Possible response include essential AI infrastructure and the intellectual
Microsoft therefore urges governments to consider through multilateral forums, governments should strategies include: property behind the development of new AI models
the following actions to improve adherence to explore potential bilateral agreements as a that might otherwise be attractive targets for
international law and online norms by strengthening ▪ Enhanced countermeasures: Beyond public rival governments.
means to set expectations and curb dangerous
digital diplomacy, sharpening public attributions, attribution, states conducting illegal cyber
cyber operations.
and imposing meaningful consequences for activities should expect firm countermeasures in
II. Sharpen government attributions of malicious response, this includes targeted sanctions among
cyber aggression.
activity. Public attribution contributes to deterrence other options.
by calling out internationally unacceptable behavior
and serving as a necessary precursor for imposing
further consequences. The following are ways in
which governments might strengthen the impact
of public attribution statements:
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 23

Deterring the most advanced threats continued Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

Cyber Point of View: Australia

The power of public/private partnerships Joint engineering between Microsoft and ASD also
produced a world-first free-to-download connector
In October 2023, Microsoft and the Australian
for Microsoft Sentinel customers to participate in
Signals Directorate (ASD) announced the
the ASD’s country-level Cyber Threat Intelligence
Microsoft-ASD Cyber Shield (MACS) initiative.
Sharing (CTIS) platform. This lowered the barrier to
This unique public-private partnership was created
entry for Sentinel customers participating in CTIS
to enhance cybersecurity collaboration between
and strengthened the platform by enabling more
the two organizations to protect the Australian
organizations to participate, increasing the cyber
Government, businesses, and citizens.
resiliency of the country.
The MACS partnership shows how closer public
and private sector collaboration can act as a
force multiplier in the fight against cybercrime Links
and aggression. In January 2024 for example, the Microsoft announces A$5 billion investment to
Australian Government announced it had identified help Australia seize the AI era | Oct 2023
and issued sanctions against the perpetrators
of a 2022 ransomware attack against Medibank, Working with the Australian Signals Directorate
Australia’s largest medical insurance company to hunt threat actors | Jan 2024
using evidence provided by the Microsoft Threat Microsoft, ASD Join Forces: Uniting Sentinel
Intelligence Center (MSTIC). and CTIS for Enhanced Resilience | Mar 2024
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 24

Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

Election interference Continuing its well-known influence efforts in

democratic processes, Russian influence actors
Russia, Iran, and China influence efforts converge
on US election
In mid-June, Mint Sandstorm sent a spear-phishing
email to a high-ranking official of a presidential
The goal of some nation-state-backed threat actor deployed a spectrum of covert and semi-covert Russian influence actors launched operations campaign from a compromised email account of
groups is to influence and undermine the results of operations aimed at undermining trust in democratic aimed at the 2024 presidential election at a a former senior advisor. Days earlier, the same
democratic elections. These efforts to manipulate institutions across Europe and in the United States, slower pace than in previous election cycles. actor, which we assess is connected to the IRGC
electoral outcomes underscore the need for with the goal of eroding support for Ukraine. Nevertheless, Russian influence actors Ruza Flood intelligence unit, also unsuccessfully targeted an
continued vigilance and collaboration, enhanced (aka Doppelganger), Volga Flood, and Storm-1516 account of a former presidential candidate.
Iran and China, meanwhile, escalated their influence
defensive measures, and content authenticity capabilities and objectives throughout 2024. demonstrated the ability to create dynamic and Iran also likely ran a network of websites
indicators such as content provenance.13 Defending Iranian influence actors increasingly tried to influence creative content aimed at American audiences. masquerading as news outlets that actively engaged
elections against influence campaigns—as well as elections in the Middle East and in the US, to include Ruza Flood’s US election-themed websites, using US voter groups on opposing ends of the political
opportunistic cybercriminal efforts—demands a Israel’s February 2024 municipal elections and the names like “50 States of Lies” and “Election Watch”, spectrum with polarizing messaging on issues such
collective commitment from industry, media, and US 2024 presidential election. Cyber personas run spread anti-Ukraine, anti-US propaganda across as the US presidential candidates, LGBTQ rights,
governments alike. by Iranian influence actors sought to highlight social media platforms. Meanwhile, videos by and the Israel-Hamas conflict. Microsoft found
vulnerabilities in Israel’s government and elections Russian influence actor Storm-1516, such as a staged evidence indicating the sites are using AI-enabled
Nation-state threat actors and elections
infrastructure as well as Prime Minister Netanyahu’s video depicting the burning of an effigy of Donald services to plagiarize content from US publications.
By the end of 2024, approximately two billion people failure to secure voting during the election to elicit Examination of source code and indicators in the
Trump, received coverage from several major
will have had the opportunity to vote in nationwide a sense of insecurity among Israelis. Weakness and articles suggest the sites’ operators are using search
international media outlets.14 Russia also continued
elections. The widespread accessibility of generative vulnerability are common themes of Iranian engine optimization (SEO) plugins and generative
to leverage agents-of-influence—for example,
AI tools coupled with significant geopolitical events influence operations, and Iran will likely continue to AI-based tools to create article titles and keywords
resurrecting Russian agent Andrei Derkach’s NABU
has created a ripe environment for nation-state use them in upcoming elections. and to automatically rephrase stolen content in a
Leaks campaign, which was sanctioned by the US in
influence operations aimed at high-stakes contests. way that drives traffic to their sites while obfuscating
2021 for malign influence in the 2020 election.
Russia, Iran, and China all engaged in election the content’s original source.
influence efforts in 2024, with Russia implementing In May of 2024, Iran began preparations for influence
the most wide-reaching, persistent campaigns and operations ahead of the US elections in two ways: Meanwhile, China’s use of covert social media
Iran coming into the cycle later. conducting cyber intrusions into political accounts networks to sow discord ahead of the presidential
potentially for hack-and-leaks and launching a election suggests the Chinese Communist Party
stream of polarizing content on covert news sites. (CCP) was emboldened by its 2022 midterm
elections influence campaign, the first time it was
observed attempting to interfere in a US election.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 25

Election interference continued Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

In late April, CCP-linked influence actor Taizi Flood

(previously Storm-1376 and commonly referred to Election-related influence operations timeline
Links
as “Spamouflage”) launched an influence campaign China (December 22, 2023) Combatting the deceptive use of AI in elections
leveraging the surge of Israel-Palestine-related PRC-linked influence actor Taizi Flood uses AI-generated audio files to allege then Taiwanese
(microsoft.com)
protests on US college campuses. Some of Taizi Democratic Progressive Party presidential candidate was an informant in the 1980s. Presidential
Flood’s personas on Telegram implied that they elections Iran Targeting 2024 US Election - Microsoft On
China (January 13, 2024)
themselves were students or parents of students Taiwan the Issues | Aug 2024
Taizi Flood promotes faked AI-generated audio recording of former presidential candidate
involved in the protests, and injected left-leaning Jan 2024
and Foxconn founder Terry Gou endorsing then Taiwanese Nationalist Party presidential Russian US election targets support
Russian support for
for Ukraine
Ukraine
messages into right-wing groups. They likely did so candidate Hou Yu-ih.16 after slow start | Apr 2024
to sow conflict about the protests, or perhaps they
misunderstood which audiences would be most Russia (February 23, 2024) Expanding our Content Integrity tools |
receptive to their message. Russia-affiliated actor Ruza Flood registers a series of US election-themed news websites. Microsoft On the Issues | Apr 2024
The websites are amplified over social media by inauthentic accounts using website redirect
The convergence and parallel nature of nation-state networks to mask the actors’ infrastructure and likely use AI tools to generate content.17 Content Credentials
operations throughout 2024 underscores just how Microsoft’s efforts to enhance the security of
Russia (April 19, 2024)
persistent adversarial states are in their attempts Indian elections | Jun 2024
Russia-affiliated influence actor Storm-1516 produces fake video that attempts to frame
to exert influence over US elections and outcomes. Ukraine for interference in the 2024 US presidential election.18
Left unchecked, this poses a critical challenge to US Addressing the deepfake challenge ahead of
national security and democratic resilience. China (May 2024) Presidential the European elections | May 2024
Sophisticated PRC-linked sockpuppet accounts position on new social media platforms elections
to spread divisive messaging, particularly surrounding protests on US college campuses US
ahead of the US presidential election.19 Nov 2024

Iran (June 15, 2024)

Iran sends spear phish to presidential campaign, likely in preparation stage for influence
operations targeting the US elections. (Source: Microsoft data)

China (July 2024) TBC

July 10: Deceptively edited short-form video from PRC-linked sockpuppet account
masquerading as US conservative voter reaches 1.5 million views.20
July 13: PRC state media foment speculation of “deep state involvement” in Trump
attempted assassination.21

On the right are key elections the influence actors were likely seeking to influence.
The flags represent the nation-state affiliation of observed influence actors.
Source: Microsoft Threat Analysis Center
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 26

Election interference continued Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

Elections create another opportunity Threat actors use these malicious domains to Using data from previous attacks, the Microsoft
for impersonation threats deceive victims, often in combination with credential Digital Crimes Unit has set up monitoring for Actionable Insights
phishing and account compromise. domains related to elections around the world in
Microsoft observed a surge in election-related
an effort to detect impersonations. Our objective
1 The US Cybersecurity and Infrastructure
homoglyph domains delivering phishing and During an election cycle, there is significant focus
is to ensure Microsoft is not hosting malicious Security Agency (CISA) and Federal
malware payloads. We believe these domains on domain infrastructure to host campaign content
infrastructure and inform customers who might be Bureau of Investigation (FBI) recommend
are examples of cybercriminal activity driven by and mail domains to communicate with supporters
victims of such impersonation threats. At present, that all election offices adopt a .gov
profit and reconnaissance by nation-state threat and voters. This increase in domains creates
we are monitoring over 10,000 homoglyph domains. domain to help mitigate impersonation
actors in pursuit of their own political objectives. opportunities for cybercriminals and nation-state and cybersecurity risks. This is because
Homoglyph domains are fraudulent domains that actors, who may use impersonation for political or We note, however, that homoglyph domains are .gov domains are only available to US-
exploit the similarities of alphanumeric characters criminal reasons. often registered by legitimate companies—either based government organizations and
to create deceptive domains to impersonate defensively (to prevent abuse) or for profit with the publicly controlled entities, which helps
legitimate organizations. goal of eventually selling the domain. the public recognize official government
sites and emails and avoid phishing
Target domain Homoglyph domain Technique Payload delivered Examples of homoglyph techniques attempts and websites that impersonate
Original Replacement government officials.
crd.org crd.com org to com Phish
crd.org crd.com org to com Malware w vv 2 Use defensive registrations of obvious
gop.com qop.com domain q for g Phish 0 o homoglyphs of your organization’s
gop.com gops.com domain with s Phish .org .info domains to prevent them being used in
gop.com go.com drop terminating letter Phish .org .com a cyberattack.
rnc.org rnc.com org to com Phish .gov .org
rnc.org rnc.com org to com Malware .com .org
dnc.org dnc.com org to com Phish .uk .co.uk
dnc.org dn.org drop terminating letter Phish .com .cam
dccc.org dccc.com org to com Phish m rn
nrcc.org nrcc.com org to com Phish g q
sjrsa.com sjrs.com drop terminating letter Phish l ll
myngp.com myng.com drop terminating letter Phish I ii
ngpweb.com ngpwe.com drop terminating letter Phish I ii
wawd.com waw.com drop terminating letter Phish I ll
wawd.com waw.com drop terminating letter Malware Domain Add or remove an “s” at
Source: Microsoft Threat Intelligence address structure the end of a string
 Microsoft Digital Defense Digital
Microsoft ReportDefense
2024 Overview TheOverview
Report 2023 evolving cyber threat
Nation landscape
state Centering our Fraud
threats Ransomware organizations
Identityon&security Early insights: AI’s impact on cybersecurity
Social engineering Appendix 27

Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

Ransomware

Landscape and trends Top human-operated ransomware groups Organizations with ransom-linked encounters continues to increase while
the percentage of those ransomed is decreasing (July 2022–June 2024)
Ransomware remains one of the most serious
cybersecurity concerns. And for valid reasons. 6000 100%

Among our customers, Microsoft observed a 5000

80%
1 2 3 4 5
2.75x increase year over year in human-operated 4000
60%
ransomware-linked encounters (defined as having at Sector Percentage 3000
least one device targeted for a ransomware attack in 40%
a network). 1 Akira 17% 2000
2 Lockbit 15% 20%
Meanwhile, the percentage of attacks reaching 1000
actual encryption phase has decreased over the past 3 Play 7% 0 0%
two years by threefold. Automatic attack disruption
4 Blackcat 6%

Mar 23

Mar 24

May 24
Jul 22

Aug 22

Sept 22

Oct 22

Nov 22

Dec 22

Jan 23

Feb 23

Apr 23

May 23

Jun 23

Jul 23

Aug 23

Sep 23

Oct 23

Nov 23

Dec 23

Jan 24

Feb 24

Apr 24

Jun 24
contributed to this positive trend in decreasing
successful attacks. In more than 90% of cases where 5 Basta 6%
attacks progressed to ransom stage, the attacker
The top five ransomware families accounted 1 Number of organizations with ransomware-linked encounters 2 Percentage of organizations ransomed
had leveraged unmanaged devices in the network,
for 51% of attacks. These families continue to use
either to gain initial access or to remotely encrypt longstanding techniques, showing their effectiveness Although organizations with ransom-linked encounters continues to increase, the percentage that are ultimately
assets at the impact stage. even against rising cybersecurity awareness globally. ransomed (reaching encryption stage) decreased more than threefold over the past two years.
Source: Microsoft Defender for Endpoint Source: Microsoft Defender for Endpoint

3x
The most prevalent initial access techniques continue (CVE) with Common Vulnerability Scoring System We observed remote encryption in 70% of successful
to be social engineering—specifically email phishing, (CVSS) scores above 8. Once the attacker is in the attacks, with 92% originating from unmanaged
SMS phishing, and voice phishing—identity network, they tamper with security products or devices in the network, underscoring the need for
compromise, and exploiting vulnerabilities in public install remote monitoring and management tools organizations to enroll devices into management, or
threefold decrease in ransom facing applications or unpatched operating systems. (RMMs) to disable or evade detections and persist in exclude unmanaged devices from the network.
attacks reaching encryption Attackers continue to take advantage of newly the network.
stage over the past two years identified common vulnerabilities and exposures
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 28

Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

How cybercriminals are Actionable Insights

tampering with security 1 Some endpoint detection and response
products (EDR) solutions provide tamper protection
features that can help prevent attackers
After compromising an organization, threat from disabling security settings.
actors usually begin by tampering with its
2 Organizations can configure the Disable
security solutions.
Local Admin Merge setting to limit the
By disabling or tampering with defenses, attackers ability to make local administration changes
buy themselves time to install malicious tools, antivirus policy settings.
exfiltrate data for espionage or extortion, and
3 Alerts that detect tampering tools and
potentially launch attacks like ransomware.
activity might precede the delivery of
Microsoft consistently observes a prolific number additional malware or the launch of
of attacks involving antivirus tampering. In May malicious commands and should respond
2024, Microsoft Defender XDR detected over After gaining a foothold in a network, attackers accordingly. As a result, these notifications
176,000 incidents involving tampering with security In May 2024, we detected conduct reconnaissance to determine security tools should be actioned immediately.
settings, impacting more than 5,600 organizations. in place or they might test security measures by
On average, during that time frame, organizations
over 176,000 incidents dropping tools or payloads like commodity malware.
that encountered tampering activity saw over involving tampering If detected and blocked, actors may instead
Links
31 attempts. with security settings. tamper with the security products they encounter.
Attackers generally seek to gain access to privileged Protect security settings with tamper
accounts within a compromised environment so they protection | Microsoft Learn | May 2024
can use elevated privileges to configure any policy Configure local overrides for Microsoft
settings, including security setting modification. Defender Antivirus | Microsoft Learn | Jul 2024
Microsoft has observed various techniques to
disable or otherwise tamper with security policies,
including Windows Registry modifications; malicious
tooling such as NSudo (Defeat Defender), Defender
Control, Configure Defender, and ToggleDefender;
custom malicious PowerShell or batch scripts and
commands; and driver tampering.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 29

Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

Octo Tempest: a case study Tactics, techniques, and procedures used by Octo Tempest
and a cautionary tale
A notable development in the evolution of
ransomware attacks since last year’s report is Initial access Discovery Credential Defense Persistence Actions
the increase in hybrid attacks targeting both on- Social engineering Enumerating internal
access, lateral evasion, Installing a
on objective
premises and cloud assets. documentation movement execution trusted backdoor Staging and exfiltrating
Masquerading and
impersonation Continuing environmental Identifying high-value Leveraging EDR and Manipulating stolen data
At a time when sophisticated threat actors are reconnaissance existing accounts
assets management tooling Deploying BlackCat
continuing to add new tactics, techniques, and ransomware
Accessing enterprise Circumventing Conditional Establishing access
procedures (TTPs) to their already wide-ranging environments via VPN Access to resources
playbooks, the threat actor Octo Tempest (aka
Collecting additional
Scattered Spider) offers a good example of this credentials
evolution and growth.
Octo Tempest is a financially motivated cybercriminal
group known for wide-ranging campaigns
that feature adversary-in-the-middle (AiTM) Octo Tempest leverages a diverse array of TTPs to navigate complex hybrid environments, exfiltrate sensitive data, and encrypt data and leverage tradecraft that many organizations
techniques, social engineering, and SIM swapping don’t have in their typical threat models, such as SMS phishing, SIM swapping, and advanced social engineering techniques.
capabilities. First observed in 2022, it targeted Source: Microsoft Threat Intelligence

mobile telecommunications and business process

outsourcing organizations to initiate phone number Octo Tempest uses extensive social engineering Octo Tempest uses its initial access to carry out The group uses device management technologies
ports (SIM swaps). By mid-2023, Octo Tempest had techniques, including researching an organization to broad searches across the network to identify to push additional malicious tooling, disable/evade
become an affiliate of ALPHV/BlackCat, a human- identify targets and then impersonating employees documents related to network architecture and security products, or create new virtual machines
operated ransomware-as-a-service operation, and or members on phone calls to trick technical other sensitive intelligence, then explores the inside the organization’s cloud. In addition to asset
began deploying ALPHV/BlackCat ransomware administrators into performing password resets or environment to enumerate assets and resources encryption, the group targets data exfiltration
payloads to victims. By the second quarter of 2024, resetting multifactor authentication (MFA) methods. across cloud environments. using Azure Data Factory and automated pipelines
Octo Tempest added Qilin and RansomHub to their The group also uses SIM swapping to gain access to extract data to its Secure File Transfer Protocol
ransomware payloads. to an employee’s phone number and then initiate a (SFTP) servers.
self-service password reset of the user’s account.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 30

Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

Disrupting ransomware Cyber Point of View: Israel

The US Federal Bureau of
threat actors Investigation Cyber Division
The past year has proved once again that defeating identified Octo Tempest
ransomware threats requires a layered and multi- as its third highest priority
tiered approach.
behind China and Russia.
One of those tiers needs to focus on disrupting
actors responsible for this activity in the real world.
Microsoft teams have served as leaders in bringing
together experts from industry and law enforcement
to share threat intelligence and evidence about While our specific role may differ in every operation,
ransomware actors, their infrastructure, identities, Microsoft’s threat intelligence and law enforcement
and even finances. liaison capabilities are, and will continue to be,
In May 2024, the US Federal Bureau of Investigation brought to bear against the most significant threats
(FBI) Cyber Division identified Octo Tempest as we face from criminal and nation-state threat actors.
its third highest priority behind China and Russia
nation-state threat actors. During the period covered
Links
in the scope of this report, Microsoft contributed
intelligence and evidence essential to the arrest of Ransomware operators exploit vulnerability for
multiple Octo Tempest members and other law mass encryption | Jul 2024
enforcement disruptions of ransomware actors. Download Ransomware Incident Response Combatting ransomware collectively The Crystal Ball Platform is designed for modern
We believe our contribution to these public-private Playbook Template | May 2023 work with embedded security, automation, and
In 2024 the Israel National Cyber Directorate,
partnerships helps collectively erode the technical AI. The platform also considers data residency
Defend against ransomware with Microsoft Cyber Security Council of the United Arab
capabilities and infrastructure of the group, and geographic regions to meet the regulatory
Security | Nov 2023 Emirates, and Microsoft Israel joined forces to
ultimately leading to its dismantlement. standards of the CRI partners. As of June 2024,
create a collaborative threat intelligence platform,
What Is Ransomware? | Microsoft Security “Crystal Ball,” for use by the International Counter more than 10 countries are using and sharing
Microsoft is aggressively pursuing our ability to
share information as authorized by law and policy to Ransomware initiative (CRI), a new 60-country intelligence on the platform, with the goal to
Octo Tempest crosses boundaries to facilitate
combat the most significant threats to our customers coalition. The domains of the platform are onboard the remaining CRI members by the
extortion, encryption, and destruction |
and our business. Attribution, Deterrence, and Culture, which address end of 2024.
Oct 2023
cybersecurity collaboration between nations.
 Microsoft Digital Defense Digital
Microsoft ReportDefense
2024 Overview TheOverview
Report 2023 evolving cyber threat
Nation landscape
state Centering our Fraud
threats Ransomware organizations
Identityon&security Early insights: AI’s impact on cybersecurity
Social engineering Appendix 31

Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

Fraud

Landscape and trends At the same time, the fight against impersonation
is getting significantly more difficult due to the
Incidents of fraud and abuse are increasing globally increasing ease of access to deep-fake technology,
in both volume and sophistication. Fraud is a form of which enables cybercriminals to create highly
cybercrime and it undermines the security, trust, and convincing forgeries of not only the voices of
reputation of individuals, businesses, and organizations business leaders but even video.
of all sizes and types, in every region and industry. The shift to cloud-based computing is proving
From nation-state actors to cybergangs to lone a double-edged sword. While cloud computing
fraudsters, malicious actors exploit vulnerabilities in provides scalability, elasticity, cost savings, and
services, programs, online properties, promotions, enhanced computational capabilities that drive
and systems to obtain fraudulent access. They use innovation, it grants these same advantages to
gained resources for cyberattacks, financial crimes, malicious actors, amplifying their potential for
or reselling assets. The World Economic Forum22 misconduct. Microsoft has observed fraudsters
reports scammers stole over $1 trillion US globally using cloud services to launch attacks, steal data,
from victims in 2023. This means companies lost impersonate users, launder money, and evade
an average of 1.5% in profits due to fraud,23 while detection. These activities are used in various
consumers faced a staggering $8.8 billion US in types of fraud such as account takeover, domain
losses—up 30% from 2022. typo-squatting, payment fraud, and other types of
cloud impersonation.
In an era where digital transformation accelerates
almost every type of business operations, the ingenuity As discussed on the following pages, Microsoft
and scalability of fraud tactics continues to challenge collaborates with law enforcement, industry
resilience around the world. Organizations face partners, and customers to actively combat these
a barrage of scams, such as payment and quick illegal activities, to protect and uphold the rights of
response (QR) code fraud, business email compromise our customers.
(BEC), AiTM, video phishing, and investment scam
techniques such as “pig butchering.”
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 32

Landscape and trends continued Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

The ever-growing threat of cyber-enabled Microsoft also works to undermine cybercriminals

financial fraud by proactively dismantling their operational
infrastructure, disrupting their financial motivation,
Cyber-enabled financial fraud covers a range of
and partnering with organizations like the US
fraudulent activities facilitated by the internet,
National Cyber Forensics and Training Alliance
including investment scams, BEC, and tech
and the Japan Cybercrime Control Center to
support scams.
enhance sharing of actionable intelligence. As the
According to the FBI, losses due to investment world recognizes the persistent threat of cyber-
scams have surpassed all other online fraud types, enabled crime, we are seeing more public and
accounting for more than $4.5 billion US in losses in private partners joining forces to disrupt criminal
2023 alone.24 infrastructure, hold them to account, and support
Teams at Microsoft, LinkedIn, and Skype are victims of cybercrime.
advancing efforts to proactively detect such Authorities conducted searches at seven locations
criminal activities, and Microsoft suspended across India, intercepting live cybercriminal
upwards of 64 million abusive service accounts operations and gathering substantial evidence,
in 2023. We are also working with industry and including computer hard disks, mobile phones, and
law enforcement partners to disrupt these actors laptops, along with details of financial transactions, In October 2023, Microsoft and Amazon joined Cybercriminals are leveraging the growing
in the real world. In addition, we are currently call recordings, and transcripts. A total of 43 forces to combat a cybercriminal network cybercrime-as-a-service (CaaS) ecosystem as well
working with law enforcement partners to improve individuals have been arrested in this operation, conducting tech support fraud against more as AI technologies to launch phishing and social
intelligence exchange on cyber threats to dismantle with many others still under investigation. The CBI, than 2,000 customer organizations globally. engineering attacks at scale. Simultaneously, they
criminal operations. in coordination with the FBI and international law Following a joint investigation, we provided India’s are increasingly evading security measures like
For example, in May 2024, Microsoft worked with enforcement agencies, continues to trace the Central Bureau of Investigation (CBI) a criminal multifactor authentication (MFA) to conduct targeted
the Indian Cybercrime Control Center to shut down network’s operations and financial activities to referral identifying multiple companies, call attacks. As a result, the battle against cyber-enabled
over 1,000 Skype accounts involved in harassment, identify and apprehend additional suspects in this centers, and individuals that directly contributed to financial fraud requires a multi-faceted response.
blackmail, extortion, and fake “digital arrests” by ongoing investigation. “Operation Chakra II,” a law enforcement operation of Enhancing cooperation and strengthening detection
fraudsters impersonating police and other officials.25 more than 75 criminal raids across India to dismantle and prevention measures are key areas of focus.
Our collaboration with law enforcement to combat
organized cyber-enabled financial crimes.27 Public awareness, vigilance, and the facilitation
The Microsoft Digital Crimes Unit combats cyber-enabled fraud has resulted in 30+ call center
of fraud reporting are also vital components in
financially motivated cybercrime using pioneering raids, 100+ arrests, and increasingly severe prison Despite efforts by law enforcement and partners in
preventing these crimes and mitigating their impact.
legal strategies, state-of-the-art technology, and sentences worldwide.26 the public and private sector, the complexity, speed,
collaboration to counteract threats to consumers. impact and severity of cybercrime is escalating.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 33

Landscape and trends continued Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

Novel trends and nightmare scenarios Traditional methods, such as exploiting large-scale
in the world of e-commerce data breaches, remain prevalent, enabling fraudsters Actionable Insights
to bypass identity validations and access extensive
Even as card-present payment security improves
personal data. The growth of the CaaS economy 1 Incorporate AI and machine learning
through mobile wallet, Europay, Mastercard, and
also simplifies the execution of complex fraud (ML) models into existing policies
Visa (EMV) chip, and near-field communication
schemes by providing ready access to stolen data and rules to detect unusual transaction
(NFC) technologies, fraudsters remain attracted to
and fraudulent tools. Concurrently, we’re observing a patterns and flag potentially fraudulent
the e-commerce or card-not-present (CNP) space, in
shift away from older hacking techniques in favor of activities in real-time.
which payment cards are not physically present for
methods like phishing and spoofing to compromise 2 When using voice as a factor for
the transactions.
credentials and gain access to payment instruments. authentication, be sure to incorporate
By 2028, the annual losses attributed to e-commerce In addition to the above general trends, Microsoft additional factors due to the rise of AI
Generative AI accelerates the creation of fake
payment fraud globally are expected to surpass has observed the following specific methods used in audio models capable of reproducing
identity elements, such as high-quality images,
$90 billion US,28 with merchants and financial e-commerce payment fraud: individual voices.
deepfakes, and voice impersonations, making
institutions bearing much of that economic impact.
it easier to deceive merchants and individuals. ▪ Enumeration techniques pose significant risks in 3 Apply risk-based containment strategies
Card security has seen numerous advances This falsified identity information can either disguise e-commerce as regulatory compliance does not using tiered product access and customer
including MFA, tokenization,29 and the expansion of the fraudster’s true identity or impersonate a mandate the protection of all digits in the 16-digit behavior monitoring to manage malicious
address verification services. However, issues with victim to fool a merchant, or impersonate a trusted card schema, allowing some digits to be guessed. use of AI and fake identities.
interoperability and incomplete implementation of contact to fool a victim. Such deception can trick Fraudsters use public payment schemas and 4 Deploy robust authentication measures
planned improvements prevent these technologies a merchant’s risk engine during transactions or, if automated methods to deduce authentication to verify payment credentials and use
from being universally adopted. initially detected, can persuade customer support details like Card Verification Value (CVV) codes tokenization to eliminate the need to store
In the past year, Microsoft conducted over to override the rejection. Consequently, this enables or expiration dates. Once they generate valid full card numbers.
1.6 billion risk evaluations for potential payment fraudsters to unlawfully obtain goods or services payment credentials, these can be sold on the
5 Collaborate with industry partners using
fraud and rejected $1.58 billion US in fraudulent using stolen payment methods. dark web.
secure technologies like confidential
transaction requests. We’ve observed a rise ▪ Biometric spoofing and the creation of synthetic computing and clean room environments
in sophisticated fraud tactics targeting online identities using generative AI are increasing to enhance data sharing and fraud
transaction vulnerabilities, including web interface threats. AI-generated deepfakes can bypass prevention while protecting privacy.
breaches, phishing, spoofing, and synthetic identity biometric security in many mobile payment
6 Enhance authentication with phish-
generation to steal credentials and payment methods relying on biometrics technologies
resistant FIDO.
instrument information. native to hardware and operating systems.
Additionally, fraudsters use AI to craft realistic
synthetic identities to manipulate merchant
customer support functions.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 34

Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

Phishing Top email phishing types

In QR code phishing, threat actors send phishing
messages containing a code encoded with a URL.
Other attempts to confuse image processing
include placing a black border around the QR
Phishing remains a perennial cybersecurity threat. The message prompts the recipient to scan the QR code or putting the QR code in an attachment.
According to TrendMicro, phishing attacks increased code with their device, redirecting them to a fake Although effective detection and blocking measures
1 sign-in page where they are prompted to input their greatly reduced the volume of QR code phishing
by 58% in 2023, with an estimated financial impact
of $3.5 billion US in 2024.30 credentials. This page may include AiTM capabilities attacks from the millions of messages observed in
that circumvent some forms of MFA. 2023, actors continued to test new techniques and
Threat actors continue to use longstanding and new 2
innovate old ones throughout 2024 to find ways to
TTPs to access targets, but a growing concern this Of note, Microsoft Defender for Office 365 image
evade protections and impact organizations.
year is the misuse of legitimate web services and detection technology significantly disrupted QR
tools for phishing deployment. 3 code phishing attacks, causing a 94% decrease in During April and May 2024, there was a surge in
phishing emails using this attack technique between phishing attempts targeting Microsoft Teams users.
Software-as-a-Service (SaaS)-based email, developer October 2023-March 2024. Threat actors continually The attackers created a new tenant and registered
tools, captcha services, cloud storage, click tracking, adapt their attacks in response to effective detection a domain specifically for this attack. These attacks
marketing platforms, customer survey platforms, 0% 20% 40% 60% 80% 100%
and blocking, returning to older, more well-known often included QR codes within the messages,
lesser known email clients, and backup and mass tactics or spending time and effort to innovate which, upon scanning, directed users to AiTM
emailing tools have all been weaponized for a range 1 Phishing URL/link (56%)
new techniques. Disruption of effective techniques phishing sites. Common themes in these phishing
of malicious activities. One of the key advantages 2 QR code phishing (25%) such as QR code phishing is an important part campaigns involved impersonating Office, Microsoft,
of using these services is that they can evade of network and data protection. While QR codes or Security services.
3 Phishing attachment (19%)
detection systems because they are less likely to be that are plain and square with a black and white
preemptively blocked due to their established levels Source: Microsoft Defender Threat Experts notifications
barcode persist in phishing attacks, since more
of trust and legitimate usage. Additionally, many effective detection and blocking has successfully Links
phishing campaigns combine the use of multiple QR code phishing reduced their efficacy, threat actors have resorted to
legitimate services simultaneously, complicating To scan or not to scan: The shady side of QR
QR codes have become much more prevalent since the experimenting with different QR code visualizations.
the detection process for both human analysts and codes – Microsoft 365 | May 2023
pandemic and therefore more trusted by users. By their For example, QR codes comprised of a blue barcode
automated systems. nature, QR codes obscure the destination from on a red background became commonplace Expanding our Content Integrity tools global
the user. Around mid-September 2023, Microsoft in phishing attacks until that variation, too, was elections - Microsoft On the Issues | Apr 2024

775 million
analysts observed a significant increase in phishing rendered ineffective. Content Credentials
attempts using these codes, which presents a unique
challenge for security providers as they appear Build trust with content credentials in Microsoft
By their nature, QR codes Designer | Learn at Microsoft Create | Dec 2023
email messages contained malware as an image during mail flow and are unreadable
obscure the destination from
(July 2023-June 2024) until rendered. the user, which creates a Overview - C2PA
challenge for security teams.
Source: Microsoft Defender for Office 365
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 35

Phishing continued Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

Business email compromise (BEC) MFA tampering post AiTM attack: Targeted BEC: Personalized phishing campaigns are
After compromising a user account, the attacker crafted using local languages, targeting IT, finance, Actionable Insights
BEC attacks remain a prevalent threat, with inbox
attempts to add an additional device for MFA, and legal departments with specific topics such
rule manipulation the favored method.
such as a phone number to approve two-factor as “software updates” or “tax submissions.” This 1 Even if a tool seems familiar, don’t assume
Inbox rule manipulation: A new variation has authorization or registering a new device with tailored strategy significantly boosts compromise it is safe. In the past year, Microsoft
emerged involving manipulation through API/App an authenticator, to maintain ongoing access. success rates. identified a new trend where adversaries
usage. Instead of using the usual “New-InboxRule” were misusing three legitimate tools for
or “Set-InboxRule” commands, the attackers now Other noteworthy post-compromise malicious activities.
behaviors observed Top post-compromise BEC behaviors
use “UpdateInboxRules”. This allows them to redirect 2 Attacks are more sophisticated.
emails with keywords related to credentials or Legitimate applications abuse: We observed three Another notable trend is the
financial matters to less monitored folders like Spam, new legitimate tools being abused by adversaries for personalization of phishing campaigns
1
Conversation History, or Deleted Items, hiding their mailbox exfiltration and BEC. and outbound communications using
fraudulent activity from the user’s immediate view. ▪ PerfectData Software: An application integrated local languages.
BEC lateral phishing: After compromising an with Microsoft 365/Azure to provide a mailbox 2 3 QR code phishing is on the rise but
account, attackers aim to move laterally within the and backup services. Threat actors used it effective detection and blocking measures
organization, targeting multiple users to either to secretly access and steal mailboxes from can greatly reduce the volume of attacks.
gain access to high-privilege accounts or trick compromised users. 3
4 Shadow IT, or pieces of hardware or
users into paying fake invoices. This is achieved ▪ Newsletter Software Supermailer: Legitimate software that users install without the
by sending phishing emails to other users within software used to create and send personalized
4 approval of the IT department, are a
the organization. bulk emails and newsletters. Adversaries exploited threat to the organizations and make
Conversation hijacking: The attacker compromises it to conduct lateral phishing attacks from them vulnerable to phishing and post-
the sender’s email account and injects themself compromised user accounts. compromise activities. IT teams should
into an existing email thread using a similar-looking ▪ eMClient: A desktop email client for Windows 0 20 40 60 80 100 periodically scan the infrastructure to
account, keeping the sender’s display name and macOS. Adversaries used this to exfiltrate detect unauthorized software or hardware
mailboxes from compromised users. 1 Inbox rule manipulation (40%)
unchanged. The hijacked account domain is usually and take remedial actions.
newly created for financially motivated scams to Low and slow BEC: Attackers discreetly read a small 2 BEC lateral phishing (25%)
lure users. number of emails (between two to five) daily, and 3 Conversation hijacking (25%)
sparingly accessed OneDrive/SharePoint files, all
4 MFA tampering (10%)
in an effort to evade detection. These low-profile
attacks challenged detection systems, which could
identify them only by correlating with unusual sign-
Source: Defender Threat Experts notifications
in activities.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 36

Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

Impersonation Sectors impersonated in consumer phish

According to Gartner, by 2026, 30% of enterprises
expect to no longer consider facial biometric identity
On the other hand, plausible alternate domain
registration involves adding words or changing the
Impersonation is a key method used by fraud actors verification and authentication solutions to be top-level domain (TLD) to trick users. For instance,
to gain trust from their victims. While it takes many 5
6 1 reliable in isolation. registering a domain like “contoso.store”.
forms, impersonation of legitimate companies is a As deepfakes become more common in the business
risk both to customers and to the reputation of the Microsoft has begun piloting Entra Verified ID as
environment, organizations will have to implement
business. As we look across the world of corporate 4 an element of advanced identity proofing, requiring
countermeasures, such as requiring additional
impersonation, Microsoft has seen fraud actors users to share government-issued ID in situations
verification for transactions. At the same time,
increase sophistication and speed across the board. where the authenticity of their identity is in question.
Microsoft is exploring provenance solutions to help
Initial results indicate this control is having promising
increase transparency of online digital content.31
Deepfakes 3 results, effectively preventing the majority of
Most AI-generated synthetic media, also known as Corporate impersonation corporate impersonation attempts. As we continue
“deepfakes,” target either communities (for example, to train the models and build for scale, we expect to
Domain spoofing involves various classic techniques
false news reports) or individuals (scams). further improve these results.
that enable impersonation of corporate entities.
2
As with other impersonation-based threats, One such technique is the look-alike domains
deepfakes exist on a spectrum of sophistication. we identified earlier: homoglyph domains. Actionable Insights
At its most basic, for example, a threat actor could The imposters rely on users not noticing the slight
1 Software and Services 4 Media and Entertainment
use shallow fakes in email and text messages (54%) (11%) variation the characters used in the domain name, 1 Educate employees to be on the lookout
designed to convince workers that a superior or such as using zero instead of the letter “O” in a for impersonated domains.
2 Financial (15%) 5 Freight and Logistics (5%)
colleague needs them to take an action. However, domain name. By tricking users into clicking links or 2 When enabling accounts and services, use
3 Retail (12%) 6 All others (3%)
the significant rise in sophistication on the visiting these fraudulent websites, the threat actors of verified identity models and AI detection
horizon will produce major changes, including in can deceive them into sharing sensitive information, can significantly reduce the risk of allowing
identity verification. potentially resulting in financial or identity theft. fraudulent access.
A majority of phishing campaigns targeting consumers Fraudsters have doubled down on various forms 3 Educate employees about how to check
this year impersonated online software and service of impersonating domains including homoglyphs, content integrity.
brands. This comes as no surprise given the value to

54%
attackers in compromising and exploiting consumer sub-domain squatting, and plausible alternate
accounts on platforms that can span social media, domain registration. Sub-domain squatting involves
cloud storage, email, e-commerce, and more. setting up a sub-domain in a cloud service under a
Phishing will become less prevalent and less profitable
trustworthy name to carry out email-based attacks, Links
for attackers as more consumers adopt strong MFA
of phishing campaigns targeting and passwordless technology. such as using “contoso.onmicrosoft.com” as a Microsoft Content Integrity website
consumers impersonated online Source: Outlook.com customer phish reports. These include consumer sub-domain.
emails received by our customers and reported to Microsoft as phishing.
software and service brands
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 37

Impersonation continued Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

The dire state of techscam Microsoft researchers are building a new AI

detection model to detect scams with a local small Daily malicious traffic volume
Techscam refers to fraudulent activities or scams In the realm of cloud services, (millions)
language model, protecting the first victim that
that make your computer vulnerable to additional we saw a significant uptick in sees a scam and reporting scams to SmartScreen to
malicious activities. Microsoft has identified
techscam traffic, with a daily protect other users.
3
that most techscams originate from malicious 12m 1
advertisement platforms. There are a variety frequency surging from 7,000 Microsoft researchers are also developing client-
2021

of techscam types, each with its own unique in 2023 to 100,000 in 2024, side signals to analyze the visual and structural 2 2022
modus operandus: an over twelvefold increase. elements of techscam pages. This new capability
10m
has significant detection potential, especially 3 2023
▪ Microsoft Support techscam/McAfee/Apple
since techscam incidents are often short-lived.
techscam: These scams impersonate legitimate
This feature enables us to identify threats more 2
support services from industry leading tech
The current landscape of techscam is alarming, with quickly, dramatically increasing the efficiency of our 8m
companies to deceive users into providing
SmartScreen traffic statistics from 2022 to 2024 techscam detection abilities.
sensitive information or making payments for
indicating that over 90% of malicious traffic in the
non-existent issues.
Edge browser is attributed to techscam activities.
▪ Cryptocurrency/fake shopping: Scammers use 6m
Among techscam frameworks, investment and Actionable Insights 1
malicious advertisements to promote fraudulent
cryptocurrency schemes or fake shopping deals, cryptocurrency scams and technical support scams
1 Preemptively block known malicious
luring users into financial traps. have incurred the highest financial losses globally.
domains by creating a blocklist based 4m
Overall, techscams have 10 times the financial impact
▪ Malicious browser extension scam: These on the domain architectures—such as
of phishing.
scams trick users into installing browser IP, Whois, and PDNS (protective domain
extensions that can manipulate search results, The transient nature of malicious hosts on cloud name system)—and redirector chains’ 3
2m 1 2
display intrusive ads, or steal personal data. servers—such as Azure, DigitalOcean, and information in telemetry logs commonly 3
CloudFront—poses a significant challenge to used in techscam operations. 2
▪ Malicious browser notification scam: Users are 1
misled into allowing browser notifications from detection and neutralization. Cloud servers provide 2 Perform continuous updates on this 0
malicious sites, which then bombard them with an easy and cost-effective way to create host pages.
dynamic use of blocklists to stay ahead of Techscam Malware Phish
misleading alerts or phishing attempts. Moreover, over 70% of malicious entities are active
scammers’ evolving tactics.
for less than two hours, meaning they may be gone
before they’re even detected. This rapid turnover The daily volume of techscam traffic has escalated
rate underscores the need for more agile and dramatically, skyrocketing by 400% since 2022, a stark
effective cybersecurity measures. contrast to the 180% increase in malware and 30% in
phishing over the same period.
Source: SmartScreen log data
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 38

Impersonation continued Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

Account takeovers (ATOs)

Confirmed ATOs in Azure Small Business segment Actionable Insights
In the business-to-consumer world there has been a
steady pace of account hacking, identity theft, and 972
1 Keeping account security up to the latest
payment instrument abuse in context of ATOs.
standards is critical to protecting yourself
Threat actors prey on the least protected accounts from ATO risk.
692
and the most vulnerable individuals, so consistently 619 607 2 Hackers look for weak security and
raising the bar on account protection is important. seasonal opportunities when account
While the best practice for consumers is to have and 427 owners are not focused on monitoring, to
398
keep current MFA while being vigilant about account 345 373 scale their attacks.
314
monitoring, a whole industry has developed to help 247
289
223 3 Consider moving your user base to an
mitigate the impacts of successful compromises.
authentication app to enable an easy
In recent years, industry reports have indicated upgrade to new standards for MFA as
an increasing threat in the business-to-business they release.
world and the arena of managed online services. Jul 23 Aug 23 Sep 23 Oct 23 Nov 23 Dec 23 Jan 24 Feb 24 Mar 24 Apr 24 May 24 Jun 24
Because compromise of the latter may impact the
Confirmed ATOs in Azure Small Business rose during the holiday season, then declined. Further and steady
downstream customers of client businesses, this
decline is expected as enhanced security requirements are implemented, such as multifactor authentication
adds another layer of complexity and risk. and verified credentials. Links
Source: Microsoft Central Fraud and Abuse Risk Team Threat actors misusing Quick Assist in social
engineering attacks leading to ransomware |
According to one study, 29% of internet users Recently, Microsoft has experienced a surge
Microsoft Security Blog | May 2024
have now experienced ATO, up from 22% in 2021.32 in attacks on “generic,” “group,” or “multiuser”
Business account takeovers rose from 13% to 21% in accounts. These accounts typically have outdated
the same period. passwords, and the original user may no longer be
monitoring them. Generic accounts are commonly
According to Microsoft’s trend monitoring, many
used by administrators for ease of maintenance but
Microsoft accounts that were taken over last year
are harder to secure. Implementing effective multi-
did not follow basic account security best practices,
factor authentication is challenging, and identifying
like using MFA. Despite the emergence of more
compromises through pattern recognition
advanced hacking techniques, most ATOs still
becomes difficult when multiple users have access.
happen through simple methods like password
Additionally, account recovery for service providers is
spraying, phishing, keylogging, and using passwords
problematic, making it challenging to restore hacked
from previous attacks found on the web.
accounts to their rightful owners.
 Microsoft Digital Defense Digital
Microsoft ReportDefense
2024 Overview TheOverview
Report 2023 evolving cyber threat
Nation landscape
state Centering our Fraud
threats Ransomware organizations
Identityon&security Early insights: AI’s impact on cybersecurity
Social engineering Appendix 39

Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

Identity and social engineering

Insights on identity Microsoft Entra data shows that of more than

600 million identity attacks per day, more than 99%
attacks and trends are password-based. Advances such as default
security configurations and Conditional Access
As organizations move to the cloud and adopt SaaS policies have helped more organizations embrace
applications, identities are becoming increasingly multifactor authentication (MFA), increasing
crucial for accessing resources. adoption to 41% among Microsoft enterprise
Cybercriminals exploit legitimate and authorized customers.33
identities to steal confidential data, and access However, as MFA blocks most password-based
credentials in various ways like phishing, malware, attacks, threat actors are shifting their focus, moving
data breaches, brute-force/password spray attacks, up the cyberattack chain in three ways:
and prior compromises.
1 Attacking infrastructure
As in past years, password-based attacks on
users constitute most identity-related attacks, 2 Bypassing authentication
supported by massive infrastructure that threat 3 Exploiting applications For example, they may steal credentials to
actors have dedicated to combing the digital world Actionable Insights
impersonate a non-human identity, elevate its
for passwords.
Attacks on identity infrastructure permissions for a few seconds to create new
1 Employ advanced monitoring and threat
in the spotlight credentials used to access and steal data, then return
detection that uses AI to recognize
the application’s identity to its previous state.
Infrastructure attacks have become popular with outlier patterns.
sophisticated actors, both nation-state and criminal. 2 Carefully monitor access and configuration

7,000
They can be difficult to detect without careful changes to identity infrastructure.
configuration monitoring, AI-driven threat detection, 3 Enhance monitoring for devices
and log analysis. Once a threat actor infiltrates an and networks on which identity
password attacks blocked organization’s infrastructure, they make changes to infrastructure depends.
per second over the past year maintain persistence and remain unnoticed.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 40

Insights on identity attacks and trends continued Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

Exploiting applications to access high- Between January and June 2024, we detected
Actionable Insights value resources over 1.5 million credentials (such as passwords or
certificates) discoverable by attackers in locations
Threat actors are taking advantage of abandoned,
1 Retire passwords in favor of phishing- such as source code repositories. In fact, 18% of code
unmonitored, and overprivileged cloud-based
resistant, passwordless authentication repositories we examined in the past year exposed
applications with insecure credentials so they can
methods such as passkeys. such secrets.
access high-value resources.
2 Require all users to run on their devices as These statistics underscore the importance of secure
standard users and not as administrators. Most organizations carry substantial security debt
development practices, which include preventing
in such applications. For example, developers may
3 Only allow access from managed and secrets in code, securing test environments,
enable broad permissions and check credentials
compliant devices. minimizing permissions for applications, and
into code to facilitate application development and
4 Mitigate AiTM and token theft attacks retiring unused applications and tenants. Just as
testing but then fail to correct these issues before
with policies that require interactive using phishing-resistant credentials greatly reduces
the application ships.
strong authentication when anomalies the risk of identity compromise, using managed
In the past year, Microsoft found only 2.6% of service identities eliminates the risk associated with
Threat actors are bypasssing MFA, using are detected.
workload identity permissions were used and 51% of managing service credentials in code.
innovative AiTM phishing attacks and 5 Use access policies to require token workload identities were completely inactive.
token theft protection and prevent access from
As we highlighted last year, as organizations untrusted environments. Actionable Insights
strengthen their authentication protocols with MFA, 6 To reduce time to mitigation and increase
1 Use managed service identities instead of
threat actors are pivoting to AiTM phishing attacks detection capability, adopt applications that
developer shared secrets.
and to token theft. Token theft occurs after a user support continuous access evaluation.
successfully authenticates and receives a valid token. 2 Govern permissions to ensure identities,
The attacker then steals the token from the victim’s including workload identities, have only the
device, from compromised routers or proxies, or privileges they need.
from application or network logs. Although token 3 Secure test environments and retire unused
theft results in far fewer identity compromises applications and tenants.
than password attacks, our detections indicate
incidents have grown to an estimated 39,000 per
day. Moreover, over the last year we’ve seen a
146% rise in AiTM phishing attacks, which occur
when attackers trick users into clicking a link and
completing MFA on the attacker’s behalf.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 41

Insights on identity attacks and trends continued Introduction Nation-state

- threats Ransomware Fraud Identity and social engineering DDoS attacks

Identity attacks in perspective Less than 1% combined

-
Password-based attacks continue to dominate, but can be thwarted by using strong authentication methods.

-
End-run MFA protection by intercepting security codes
using stolen phone numbers, barraging users with MFA
notifications until they approve, and capturing first
and second factor credentials using fake replicas of
MFA attacks legitimate websites.

<1% SIM swapping

More than of attacks

MFA fatigue

99% of identity AitM

attacks are Infiltrate a user’s account after they authenticate by stealing

a legitimate token created on their device and moving it to a
password attacks Post-authentication
device under the attacker’s control, by searching source code
repositories for Open Authorization (OAuth) tokens and other
-
non-human credentials, or by tricking the authenticated user
attacks into granting permissions to malicious apps.

Token theft
Breach replay
Consent phishing
Password spray
Phishing
-
Often silently executed by professional groups or nation-state- -
Rely on predictable human behaviors such as selecting backed threat actors with sophisticated operations, making them
easy-to-guess passwords, reusing them on multiple -
very hard to detect. Threat actors may compromise an on-premises
federation server and copy its private signing key to forge tokens,
websites, and falling prey to phishing attacks. Infrastructure compromise a privileged cloud user and add new federation
compromise contracts, or compromise a non-human workload identity and
create new credentials with elevated privileges.

Source: Microsoft Threat Intelligence

Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 42

Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

Security to the max: Technical debt makes maintaining

the optimal mindset for a secure environment challenging

security professionals 500

2

Outdated security programs leave configurations

1
insecure. For example, virtual private networks (VPN) 400
typically grant remote users access to the entire
corporate environment instead of limiting access to
specific applications. Password-only authentication
300
configurations, exacerbated by archaic expiry and
complexity policies, result in more than 99% of
identity compromises. And many identity attacks 2
rely on protocols such as IMAP, POP, and basic 200

authentications that were once necessary but

have long been replaced by modern protocols 1

such as Open Authorization (OAuth) and OpenID 100 3

2
Connect (OIDC).
1
0
Version Version Version
2016 2019 2022
Windows Server Windows
1 2
Standard Server Datacenter

Windows Server
3
Datacenter Azure Edition

Security incidents are more prevalent in older versions

of domain controller operating systems (chart data
represents January-March 2024). Although Microsoft
officially ended mainstream support of Windows
Servers 2016 and 2019, many customers who
Password spray attacks are authentication attacks experienced security incidents were still running
that employ a large list of usernames and pair them domain controllers on these out-of-support versions.
with common passwords in an attempt to “guess” Source: Microsoft Incident Response
the correct combination for as many users as possible.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 43

The optimal mindset for security professionals continued Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

“Secure by default” settings reduce This “secure by default” approach represents a

identity compromises critical mindset shift for security professionals: MFA adoption: percentage of Entra ID monthly active
Although modern MFA techniques reduce the risk of
instead of “dialing up” security to where it’s “safe,” users signing in with MFA
we must start at the maximum level of security
identity compromise by 99.2%, many organizations 2022
possible, then dial back as necessary. It’s both
have been slow to adopt them. So, in January MFA automatically TARGET
harder and less effective to start at zero security and
2020, Microsoft introduced “security defaults” that deployed to all 100%
assemble it layer by layer than to start at 100 percent 2018
turn on MFA while turning off basic and legacy enterprise tenants
security and then customize the configuration to MFA available
authentication for new tenants and those with simple via Security Defaults
specific business needs. -
cost-free to all
environments. The impact is clear: tenants that use 2023
enterprise customers
security defaults experience 80% fewer compromises -
Microsoft-managed
2014
than tenants that don’t. Actionable Insights policies announced
MFA
In November 2023, we started deploying Microsoft- technology 2020
1 Enable MFA in all your tenants. MFA automatically 2024
managed Conditional Access policies for existing available to
tenants with more complicated environments. 2 Enable phishing-resistant MFA for enterprise deployed to all new Microsoft--
We then started enforcing three MFA-related your admins. customers enterprise tenants via managed
41%
policies in March 2024. Even among these more Security Defaults policies enforced
3 For all new tenants, start with the strongest
sophisticated tenants with these policies, the
security settings possible.
compromise rate has decreased by 39%.
4 Test pre-configured security settings,
such as security defaults or managed 37%
Conditional Access policies, in report-only
mode to understand their potential impact
before going live.
25%

1.8%

0.7%

2014 2018 2020 2022 2024

Source: Microsoft Threat Intelligence
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 44

Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

Social engineering
Regardless of the technique, social
“next generation” engineering remains a constant
Regardless of the technique, social engineering threat that ultimately cannot be
remains a constant threat that ultimately fully mitigated via technology.
cannot be fully mitigated via technology.
Training and education, both at the helpdesk and
user level, is central to preventing successful social
engineering attacks.

Teams and Skype phishing

In recent years, there has been a significant rise in Teams users, often with QR codes that directed users
novel phishing techniques like the use of QR codes to AiTM sites. In some cases, attackers had already
discussed earlier. Another of these techniques is obtained credentials through password spray attacks
the use of collaboration platforms such as Teams or and sent a two-factor authentication request via
Skype to phish users. Microsoft has observed threat Teams, prompting the target to provide the number
actors using a previously compromised tenant to in the authentication app. A sense of urgency was
create a new onmicrosoft.com tenant with a tech the key in these attacks since the tokens were valid
support theme. These tenants are then abused to only for a few minutes.
send malicious files, links, and requests for users to From April onwards, there was an uptick in social
provide credentials or obtain MFA approvals. engineering attacks through Teams. Attackers posed SIM swapping Once the actor has control of the victim’s SIM, they
as Help Desk or IT support staff and persuaded users can receive MFA codes and one-time passcodes.
Beginning in July 2023, threat actors began The growing acceptance of MFA has forced threat
to establish remote monitoring and management Operational security on the part of individuals
sending Teams users attachments hosted on an actors to impersonate users as a workaround. As a
(RMM) connections with the attacker’s system, is crucial in preventing this kind of attack.
actor-controlled SharePoint tenant. In these cases, result, Microsoft has observed SIM swapping gaining
leading to ransomware incidents. In all these Teams- Individuals should monitor their online footprint to
the target tenant had been configured to allow popularity in recent years, led by Octo Tempest.
related instances, the attacks were conducted see what information is publicly available about them
messages from users outside of the organization.
through one-on-one conversations, originating In SIM swapping, the threat actor contacts a mobile that a threat actor could use to impersonate them.
In April 2024, Midnight Blizzard masqueraded as
from newly created attacker-owned tenants. carrier and gets a target victim’s SIM card moved
Microsoft Security on Teams, providing targets a
SharePoint was frequently utilized by the attackers as to their own device. To do this, the actor must first
link for AiTM credential harvesting. That month and
the preferred platform for hosting malicious files. collect personal information about the target to
the next, attackers impersonated Microsoft Office,
answer the security questions necessary to gain
Microsoft Security, or Microsoft in general to phish
access to the target’s account.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 45

Social engineering “next generation” continued Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

How easy is it to carry out different Actionable Insights

types of social engineering attacks?
1 Provide helpdesk staff training on
identifying social engineering attempts.
EASY MEDIUM HARD 2 Ensure helpdesk systems have adequate
activity logs.
Email and Phone and SIM swapping
Teams video calls 3 Move toward passwordless authentication;
phishing
Helpdesk MFA alone is not enough.
QR code social 4 Adopt phishing-resistant MFA
phishing engineering
for administrators.
5 Evaluate and strengthen helpdesk
password reset procedures.
6 Employ alerting on any changes
to administrators.
7 Engage in regular tabletop exercises.
Helpdesk social engineering Threat actors such as Octo Tempest have also
been observed communicating directly with senior Links 8 Vet key suppliers relating to SIM cards and
Microsoft has observed an uptick in threat actors
executives and other individuals involved in an Midnight Blizzard conducts targeted social helpdesk services.
contacting helpdesks, impersonating a user
investigation as part of their extortion campaign or engineering over Microsoft Teams | Aug 2023
to obtain a password reset or register a new
in an effort to gain access to credentials. In cases
MFA device. Malware distributor Storm-0324 facilitates
where extortion is part of the attack, threat actors
In the last year, more than half of all Microsoft ransomware access | Sep 2023
may also use text messages to pressure victims
Incident Response engagements attributed to Octo into paying. Octo Tempest crosses boundaries to facilitate
Tempest were able to be tracked back to helpdesk extortion, encryption, and destruction |
social engineering. Helpdesks have begun to counter Oct 2023
this by requiring further levels of verification such
as video calls, but as noted earlier in this chapter,
the rise of deepfakes will enable a threat actor
to impersonate the voice, image, and video of a
victim, making even this identity verification avenue
more difficult.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 46

Social engineering “next generation” continued Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

AiTM credential phishing In May 2024, Storm-1101, the actor behind the The use of HTML attachments to deliver URLs or
NakedPages PhaaS platform, announced they phishing pages to recipients continued to be a In the time it takes you to
Credential phishing attacks with AiTM capabilities
would be permanently winding down their popular tactic among phishing actors in the last
are continually observed by Microsoft through daily,
operations. The actor claimed they had provided year. The attached HTML file may contain a URL that
read this sentence we will
high-volume email campaigns sent from phishing-
the NakedPages source code to some individuals sends the recipient to a phish landing page or it may have defended against 27,860
as-a-service (PhaaS) platforms.
who had worked as support for the NakedPages contain code that reaches out to an actor-controlled individual password attacks.
In 2024 to date, the top five kits by email volume service. At least one of these individuals has since server to download a phishing page and present it
were: Caffeine, Tycoon, Greatness, NakedPages, and started their own phishing service based on that to the recipient upon opening the file. HTML files
Dadsec. Each of these PhaaS services represents source code. may also be contained within ZIP files, Microsoft
tens to hundreds of millions of phishing messages Office files, additional—sometimes multiple—email
In January 2024, Caffeine was rebranded to ONNX.
observed each month. files attached to the initial email, or other file types
Communication channels for the kit’s operations
While the top phishing services are largely the same to evade detection.
were changed and the service began allowing
in 2024 as 2023, there have been some changes. customers to use their own domains in April, PDF attachments also continued to be a popular
For example, in November and December 2023, making it harder to track activity related to the kit. vector for phishing. Usually, the PDF contained a
the Dadsec service disappeared from our tracking. While Caffeine/ONNX was the most prominent URL leading to a phish landing page, likely through
In January 2024, the creator and operator of the AiTM phishing service by volume of phishing a multi-step process including a redirection URL
Dadsec PhaaS platform, Storm-1575, resurfaced messages observed through the first half of 2024, it through a legitimate or abused service and/or a
and announced a rebrand of the service as was supplanted by Tycoon in May. In June, Caffeine captcha check. Occasionally, the link went straight to
“Rockstar2FA.” Operations of the new service owner and operator Storm-0867’s identity was a phishing domain. Like the HTML vector, a PDF file
continued mostly as before, with intermittent revealed in a blogpost from DarkAtlas,34 resulting in may be included within multiple layers of other email
updates to phishing attachments, messages, or an abrupt cessation of operations. files, ZIP files, other filetypes or may be hosted on a
infrastructure to evade detection efforts and a new legitimate filesharing service accessed through a URL
communications channel for clients. provided in the original email.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 47

Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

Stormy skies: the rise of In Octo Tempest cloud attacks identified by

Microsoft Threat Intelligence, this prolific threat actor Cloud identity compromise
cloud identity compromise targeted federated identity providers using tools
like AADInternals to federate domains. The actor Identity
With more organizations moving to hybrid or cloud- then used the newly federated identity provider compromise
only models, it is becoming increasingly important to to sign in as a valid user. Similarly, in March 2024, email phishing, brute force,
secure both cloud resources and cloud identities. ransomware threat actor Storm-0501 attacked password reuse

Identity is a central piece in a functional Azure environments using the AADInternals

organization’s cloud environment and represents tool to federate attacker-owned domains
a critical target for attackers. An attacker who within compromised tenants, using the newly
manipulates identity can also manipulate any federated identity provider to sign into additional
resource or process that identity is trusted to access, valid accounts.
including email, other cloud services, or the on- Storm-0539, which primarily targets retail
premises environment. organizations for gift card fraud and theft, also has
Resource access IDENTIT Y
Platform for
In the past, cloud identity compromise was thought a deep understanding of cloud environments that it
VPN, cloud services, new attacks
to be reserved for only a handful of advanced, exploits to conduct reconnaissance on organizations’ on-premises
perhaps exclusively state-sponsored, actors. gift card issuance processes and employee access.
However, financially motivated actors like Octo The actor then conducts phishing attacks to hijack
Tempest, Storm-0539, and Storm-0501 have recently cloud accounts. After gaining access to a user’s
shown sophisticated competency in the cloud across session and token, Storm-0539 registers its own
a large variety of industry verticals, indicating that malicious devices so that multifactor authentication
more and more threat actors will be able to use (MFA) prompts associated with a compromised
this technique. victim account go to the threat actor’s device.
Registering a device lets them wholly compromise Reconnaissance
an identity and persist in the cloud environment. mailbox access, folder or share
access, and persistence

Links
Inside the growing risk of gift card fraud |
Security Insider | May 2024 Lifecycle stages for a cloud abuse attack starting clockwise from the top.
Source: Microsoft Threat Intelligence
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 48

Cloud identity compromise continued Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

The chart on this page shows average preparedness

against cloud identity abuse by sector, in three Cloud identity abuse preparedness Actionable Insights
groupings: best (90th percentile), median (50th
Sector 0% Highest protection against cloud identity abuse > 100% 1 Centralize your organization’s identity
percentile), and least (10th percentile) protected.
A tenant will have a score of 100% if all the known Commercial Facilities
management into a single platform.
21% 50% 73%
protections for cloud identity abuse, as mapped by 2 Require all users to enroll in MFA. MFA can
Microsoft researchers, have been applied to their full Communications
4 %
54 %
79 %
inherently stop an attack before it even
estate. The communications sector shows a broad begins by preventing an attacker who
Critical Manufacturing
range in levels of protection, with the 10th percentile 20% 56% 86%
has managed to compromise a user’s
group at just 5%. By contrast, the Defense Industrial Defense Industrial Base credentials from accessing network
46% 71% 78%
Base sector’s least prepared group is closer to 50% resources. Require phishing-resistant
of protections in place. Emergency Services
29% 51% 86% authentication for all developers and all
users in administrative roles.
Energy
26% 67% 88%
3 Block legacy authentication. Apps using
Financial Services
30%
65%
89
% their own legacy methods to authenticate
and access company data pose another risk
Food and Agriculture
32% 67% 91% for organizations. The alternative, modern
Government Services and Facilities authentication, reduces security risk by
22% 55% 85%
supporting MFA and Conditional Access.
Healthcare and Public Health
40% 64% 84% 4 Understand your cloud environment’s
Information Technology
“trust chain.” With the rise of SaaS
17% 59% 86%
applications, guest accounts, and delegated
Nonprofits and Intergovernmental
25% 60% 88%
privileges, an organization might fail to
Organizations (IGO)
properly determine who has access to what
Transportation Systems
21% 66% 88% within their cloud tenant. Attackers use this
Links ambiguity to identify identities that already
Water and Wastewater
23% 59% 88% have access to resources of interest.
Five steps to securing your identity
infrastructure | Microsoft Learn | Oct 2023 % Average of % Median protection % Average of 5 Create a custom activity policy to get alerts
least protected level (50th best protected about suspicious usage patterns.
Security Exposure Management |Microsoft (10th percentile) percentile) (90th percentile)
Security, Compliance, and Identity Blog Sample size: 112,000 organizations representing a range of sizes and industries
Source: Microsoft Security Exposure Management
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 49

Cloud identity compromise continued Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

Cyber Point of View: Canada

How Canada is boosting security by NC3 has also been active in warning businesses
investing in innovation and partnerships and organizations about impending cyberattacks.
Housed within the Royal Canadian Mounted Police, It warns 300-400 victims per year and facilitates the
the National Cybercrime Coordination Centre (NC3) deployment of decryption tools where available so
performs a key role when it comes to Canada’s victims can regain access to their data or systems.
global contribution to reduce cybercrime. The NC3 also enhances the capabilities of Canada’s
law enforcement agencies through technical,
The NC3 has not only established operational intelligence and case coordination support.
links with domestic policing but allowed Canada
to join international efforts in joint-sequenced Microsoft further integrates the Cyber Centre’s
operations that attack the enabling pillars of Aventail feed into its own threat intelligence
global cybercriminality. These efforts have ecosystem contributing to improved cyber threat
included Canadian law enforcement working detections for customers worldwide. Microsoft’s
alongside law enforcement from 10 countries security engineering teams extensively utilize the
as part of “Operation Cronos” to systematically Cyber Centre’s assembly line malware detection
disrupt and discredit LockBit’s business model and and analysis tool within our cloud based cyber
expose affiliates associated with this notorious defense systems.
ransomware gang.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 50

Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

DDoS: Stealthier Attack landscape A new threat: The loop attack is a stark reminder of the
vulnerabilities that exist within our network
Application loop attacks
threats emerge Beginning in mid-March, we observed a rise in protocols. It highlights the need for continuous
network DDoS attacks, reaching approximately vigilance and the development of robust
A new type of cyberattack is targeting the very security measures to protect against such
4,500 attacks per day in June. Additionally, there
Distributed denial of service (DDoS) was a significant surge in attacks targeting medium
protocols that form the backbone of our internet sophisticated threats.
attacks are cyberattacks that aim to size applications. Application layer attacks are more
communication. Dubbed the “loop attack,”
disrupt or disable a website or online this vulnerability reveals a critical weakness in
stealthy, sophisticated, and difficult to mitigate than
service by overwhelming it with traffic network-level attacks.
application-layer protocols that rely on the User Application layer attacks are
Datagram Protocol (UDP). According to the
from multiple sources. DDoS attacks can These attacks, which are in the range of 100,000 to
more stealthy, sophisticated,
Helmholtz Center for Information Security (CISPA),
cause significant losses for businesses 1 million packets-per-second, are aimed directly at these attacks could potentially affect 300,000 and difficult to mitigate than
such as downtime, lost revenue, specific web applications, revealing the relentless application servers worldwide. The loop attack network-level attacks.
damaged reputation, and increased costs. nature of attackers trying to evade volumetric does not discriminate in its choice of targets.
DDoS protection tactics. Without adequate Protocols that many consider the lifeblood of the
protection, these applications would experience internet—such as TFTP, DNS, and NTP—are at risk,
availability issues. along with legacy protocols like Echo, Chargen, and
The increased focus of DDoS attacks on the QOTD. The vulnerability triggers an endless loop of
application layer rather than the more traditional error messages between servers, leading to a severe
network layers has created a greater risk of impact degradation of service and network quality.
on business availability, such as access to online Unlike the more commonly known reflected
banking services or the ability to check-in for UDP-based floods, loop attacks may not amplify
airline flights. the traffic volume with each spoofed packet.
However, they can still cause significant disruption
by ensnaring multiple servers in a never-ending
communication loop. This is initiated by a single,
well-crafted packet, and once the loop starts, there’s
no stopping it, and the network flood that ensues
can threaten not just the application servers but also
the underlying network infrastructure.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 51

A new threat: Application loop attacks continued Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

4X
We mitigated 1.25 million
Number of network DDoS attacks (January-June 2024)
6000
Actionable Insights

1 Where possible, minimize exposure of

DDoS attacks in the second your applications over the public internet
half of the year, representing a to minimize the attack surface area for
5000 DDoS attacks.
fourfold increase compared to
last year. 2 For applications that are exposed over the
public internet, follow a defense-in-depth
4000 strategy and ensure the applications have
network layer DDoS protection in place.
Specific to web applications, it’s important
to protect them with a web application
3000
firewall that provides comprehensive
application layer protection.
3 Integrate DDoS simulations in the software
2000 development lifecycle and as a regular
part of security operations to ensure the
applications and workloads have the right
1000 level of protection and scale.

0
1 Jan

10 Jan

19 Jan

28 Jan

6 Feb

15 Feb

24 Feb

4 Mar

13 Mar

22 Mar

31 Mar

9 Apr

18Apr

27 Apr

6 May

15 May

24 May

20 Jun
2 Jun

11 Jun
L2 1K - 10K L3 10K - 100K L4 100K - 1M L5 1M - 10M L6 > 10M

The number of DDoS attacks mitigated continues to increase, with a notable surge layer 4 (L4, application layer) attacks.
Application layer attacks are more stealthy, sophisticated, and difficult to mitigate than network-level attacks. Layers in
the key are in “packets per second (pps)”.
Source: Microsoft Global DDoS Mitigation Operations
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 52

A new threat: Application loop attacks continued Introduction Nation-state threats Ransomware Fraud Identity and social engineering DDoS attacks

Cyber Point of View: India

DDoS attacks on the rise in India Common tactics, techniques, and procedures
Daily number of attacks targeting the APAC region (February-June 2024) of DDoS attacks in India
India was one of the countries most affected by
1500
DDoS in 2024, continuing the trend from last ▪ Botnets to generate and amplify DDoS traffic.
year. In 2023, it ranked third in the number of 1200 ▪ Living-off-the-land techniques (where malware
DDoS attacks per customer organization in the uses only resources already available in
900
APAC region and ninth in the world, with the the operating system) to evade detection
finance, technology, and government sectors the 600
and mitigation.
most targeted. 300 ▪ Proxy services to obfuscate the source of
The number of DDoS attacks per customer in India 0 DDoS traffic.
has more than doubled since 2020.35 Most of the ▪ Encryption to bypass security controls.

14 Mar
14 Feb

14 Apr

14 May

14 Jun
DDoS attacks in the APAC region from February
to June 2024 targeted India, especially the gaming
sector. Online gaming is prone to DDoS attacks, L2 1K - 10K L3 10K - 100K L4 100K - 1M L5 1M - 10M L6 > 10M Actionable Insights
and it is a growing sector in India. The mid-size TBC
throughput attacks reached ~1,000 attacks per Layer 4 (L4) attacks were the most prevalent DDoS attack type in the APAC region, as well as globally. Layers in the key 1 Implement a DDoS protection solution,
are in “packets per second (pps)”. securing the network and application
day on India’s gaming sector alone, accounting Source: Microsoft Global DDoS Mitigation Operations
for ~20% of all attacks. The attack volume per infrastructure, hardening the DNS
customer during that time also increased from 1.4 infrastructure, and preparing an incident
Separately, DNS query floods are the most common DDoS attacks in India January–June 2024:
Gbps to 2.4 Gbps. response plan.
type of application-level DDoS attacks in India.
▪ Maximum number of vectors seen in a single
Hacktivists, who use cyberattacks to express 2 Implement security measures such
attack: 9.
their political, social, or ideological views, are a as firewalls, load balancers, and
major source of DDoS attacks, and cloud-based ▪ Maximum attack throughput: 61 Gbps and routers to secure the network and
resources are increasingly used by both attackers 41.2 Mpps. application infrastructure.
and defenders. Microsoft found a spike in DDoS ▪ Top attack vectors: TCP ACK flood, SSDP 3 Implement security measures such as
activity in India in June of 2024. This is unsurprising amplication, DNS amplification. DNSSEC and DNS filtering to harden the
given there has historically been an increase in DNS infrastructure.
cyberattacks during election periods, and India’s
national elections occurred from April to June.
Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 53

Chapter 2
Key developments 54

Centering our Introduction

Secure Future Initiative

55

56
organizations Strategic approaches to cybersecurity 57

on security Supporting the ecosystem

Collective action
67

77

What is the path forward

to improve resilience?
Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 54

Introduction Strategic cybersecurity Supporting the ecosystem Collective action

The Secure Future Security stories from critical Taking a threat-informed

Initiative (SFI) infrastructure frontlines approach
Key developments Taking proactive steps to Helping to support the to defense
keep security deficits from ecosystem through transparency 80% of organizations have
Centering our re-accumulating, we share what of datacenter application attack paths that expose

organizations on security we are doing, how customers can

benefit, and how they can better
security findings.
Find out more on p69.
critical assets.
Find out more starting on p61.
protect themselves.
In this chapter we emphasize the responsibility of
everyone for keeping their own house in order, Find out more on p55.

emphasizing robust accountability alongside a

fundamental mastery of cybersecurity essentials.
More than just compliance checklists, we advocate Best practices for robust cybersecurity Hierarchical pyramid of
for a threat-informed strategy that enhances governance and accountability cybersecurity needs
resilience across the cyber landscape.
Everyone in the organization, including Board It starts with the basic need
We also extend our focus beyond organizational members, must have basic literacy of cybersecurity to protect identities, against
security to incorporate the broader ecosystem, threats, a sense of personal responsibility for ransomware, supply chain attacks,
particularly in critical environments and electoral security, and clarity on their role. and other threats that bypass
processes. The chapter concludes with a call for traditional security measures.
Find out more on p63.
collective action, urging stronger collaborations Find out more on p60.
between industry and government to bolster our
collective security.
Generative AI is fueling the need for Collective action through Supporting democratic elections
data security policy implementation deeper partnerships between During this unprecedented period of
The use of generative AI applications can industry and governments critical elections worldwide, we are
pose serious risk to organizations that haven’t Hybrid warfare, cyberattacks, and working to safeguard institutions from
implemented sufficient data governance foreign influence operations pose malicious schemes that aim to disrupt
controls. On the other hand, generative AI can grave risks to society. or influence electoral processes.
be used to kick-start a strategy and approach Find out more on p79.
Find out more on p77.
to understanding their data perimeter.
Find out more on p57.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 55

Introduction Strategic cybersecurity Supporting the ecosystem Collective action

Introduction: Tackling technical debt

and shadow IT for a secure future
Threat actors prey on unaddressed Whether it is a test app from an untracked SFI is a multiyear initiative to evolve the way we In all cases, we’re creating “paved paths” for
technical debt, outdated security controls, satellite tenant that doesn’t enforce multifactor design, build, test, and operate our products and engineers, so that the easiest way to do something
authentication (MFA), devices infected with malware, services so we can achieve the highest possible is the also right way. We continuously apply lessons
and shadow IT.
or legacy authentication protocols, security teams standards for security. from security incidents to improve our methods.
can’t act on resources they simply don’t know about. In response to rising phishing and social engineering
If there is a weak point in your system, threat actors We are taking proactive steps to keep security
These include: attacks, for example, we’re issuing phishing-resistant
are going to find it. You may be using the latest deficits from re-accumulating:
credentials like passkeys to all employees. We also
security tools to fortify your core environment, but if ▪ Unsanctioned, unmonitored or abandoned
▪ Maintaining a comprehensive inventory of all introduced video-based user verification for lost
you still have old infrastructure, unpatched systems, tenants built ad hoc for development, testing,
production software and hardware assets. credentials and automated processes for deploying
outdated configurations, and apps granted too many or demos.
▪ Enforcing a standard approach for creating security keys and storing secrets. Our platforms
permissions by departments you aren’t even aware ▪ Applications and workload identities with no
secure test tenants with zero trust principles, operate at the highest industry standards, and
of, then you may be unwittingly leaving security known owner or governance.
automatically deleting them after use to avoid we’re building systems to maintain these levels as
holes for threat actors to exploit. ▪ Developer secrets checked into public legacy infrastructure buildup. standards evolve.
Leaving these issues unaddressed is like installing a code repositories.
▪ Increasing isolation of development and test The Secure Future Initiative is not a destination, but
vault with an impenetrable lock, then forgetting the ▪ Storage repositories with inadequate environments to prevent lateral movement an ongoing commitment to a security-first culture
vent that leads to the roof. Or, forgetting about the access controls. into production. that proactively identifies and openly discusses risks,
drain to the sewer or the unfortified wall adjacent to
▪ Enforcing the use of standard libraries and issues, and blockers; quickly learns and iterates;
the parking lot. The burglar won’t be discouraged Clearing out technical debt
advanced code security checks for all apps and standardizes tools, dashboards, practices, and
by the lock—they’ll just find one of the alternate As part of our Secure Future Initiative (SFI), Microsoft
and services. principles across all engineering teams. As with every
pathways you have left for them. embarked on rigorous “spring cleaning” to
▪ Automatically scanning all internal productivity feature and experience we ship, we’ll share with
When it comes to digital security, it doesn’t matter strengthen our environment and cloud services customers what we do, how they benefit, and how
against threats. We removed millions of unused systems to remove passwords, secrets, and keys
how locked-down your user policies are: if an they can better protect themselves.
and non-compliant applications and tenants from that attackers could exploit.
adversary can gain entry via a long-forgotten
our environment, refreshed hundreds of thousands ▪ Improving logging capabilities to detect, Joy Chik
avenue, they will.
of credentials (including security certificates), and investigate, and mitigate vulnerabilities faster, and President, Identity and Network Access
segmented and isolated our network. share insights with customers sooner.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 56

Introduction by Joy Chik continued Introduction Strategic cybersecurity Supporting the ecosystem Collective action

Putting security above all else

The Microsoft Secure Future Initiative (SFI) “If you’re faced with the
S E C U R E BY D E S I G N | S E C U R E BY D E FAU LT | S E C U R E O P E R AT I O N S
is a multiyear initiative to evolve the way we tradeoff between security
design, build, test, and operate our products and another priority, your
and services, to achieve the highest possible
CO N T I N U O U S I M P R OV E M E N T answer is clear: Do security.
standards for security.
In some cases, this will mean
It’s our long-term commitment to protect
prioritizing security above
both the company and our customers in the
ever-evolving threat landscape.
S E C U R I T Y C U LT U R E A N D G OV E R N A N C E
other things we do, such
as releasing new features or

730k
providing ongoing support
for legacy systems.“”
SFI non-compliant apps Protect identities Protect tenants Protect Satya Nadella
and secrets and isolate network
eliminated Microsoft CEO,
production systems
May 3, 2024

5.75 million
inactive tenants eliminated, drastically
reducing the potential cyberattack surface. Protect Monitor and Accelerate response
engineering detect threats and remediation
systems

Links
Secure Future Initiative | Microsoft

PAV E D PAT H S TA N DA R D S
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 57

Introduction Strategic cybersecurity Supporting the ecosystem Collective action

Strategic approaches to cybersecurity:

“Managing your own house”
Data security moves within the organization, how users, customers
or partners interact with it, and what level of risk is
Securing organizational data has also become
a multifaceted task, leading to the adoption of
stores, identifying sensitive data, then labeling and
protecting it to ground the data and prevent its
acceptable for the organization. multiple, hard-to-manage tools. This kind of unintended exposure to AI apps.
Accountability is increasingly central to the world
fragmented approach creates more noise from
of data security. From security strategies to new Data doesn’t move on its own. It’s moved by people. Applying data loss prevention policies for inputs
duplicated alerts, making it harder to identify and
policies governing generative AI, organizations must Because different people require different levels and outputs from AI apps helps to prevent both
investigate actual incidents. Organizations using
start taking responsibility for what is going on under of access, a comprehensive data security policy overexposure and leakage for new AI generated
over 15 tools experienced nearly three times more
their own digital roof. must be dynamic, considering both data and user data, while automating data classification and
data security incidents than organizations using
context. This lets organizations balance protection labeling vastly reduces the risk of data exposure.
Key components of an effective data fewer tools. This is why it is so important to invest
and productivity, allowing low-risk users to continue In summary, data loss prevention policies can apply
security strategy in integrated, automated data security solutions to
working as usual while restricting the actions of to data that AI models consume and generate.
achieve the best outcomes.
In our experience, the most successful data security users with elevated risk.
implementation strategies consider the following: As data types proliferate, sources get more complex, How generative AI is fueling the need for
visibility, risk detection, classification, labeling, data and generative AI technology gains traction, data data security policy implementation Links
protection, and data leakage prevention across your security is inevitably becoming a pressing concern. Microsoft’s AI products, such as Copilot, are
multi-cloud and hybrid digital estate. Microsoft insights and best practices in securing
A 2023 Microsoft study found that over 40% of enterprise designed to use only information you already
data | Microsoft Security Blog | Oct 2023
It is no longer enough to focus solely on the data; (>500 employees) organizations’ annual cybersecurity have access to. When other generative AI apps are
it’s just as important to understand how that data budget on average is now allocated to data security. deployed on ungoverned data estates it can result Empowering employee self-service with
in data oversharing or leakage as users may end guardrails: How we’re using sensitivity labUsing
up accessing sensitive data. It is difficult to protect sensitivity labels | Apr 2024
An integrated approach to data security Information
protection data from AI-related security risks given many How to use prompts in Microsoft Copilot for
Classify and label sensitive data, and prevent its
organizations don’t actually know where—or even Security | Microsoft Security Blog | Feb 2024
unauthorized use across apps, services, and devices.
what—their sensitive data is.
Understand the user intent and context around the Data loss A DA P T I V E Insider risk Microsoft Copilot for Security in Microsoft
use of sensitive data to identify the most critical risks prevention PROTECTION management Studies show 83% of organizations experience Purview | Microsoft Learn | Sep 2024
multiple data breaches over time, so getting ahead
Assign high-risk users to appropriate DLP, data of the risks is critical. Data environments must be GitHub - Azure/Copilot-For-Security
lifecycle, and Conditional Access policies
prepared for AI, which requires inventorying data
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 58

Data security continued Introduction Strategic cybersecurity Supporting the ecosystem Collective action

Harnessing generative AI to define your

data perimeter Readiness levels: Protecting and governing data
The rise of generative AI while benefitting from generative AI
AI can be a powerful tool for data exploration, and
applications poses a serious 4
customers and partners worldwide are increasingly
using it to improve their data management threat to organizations that Driving force
practices. For example, data security teams are haven’t implemented sufficient 3 for innovation
using AI to refine their data loss prevention data governance controls. Used to enhance Generative AI used
policies, classification labeling practices, and as a driving force
productivity for innovation.
encryption usage. 2 Expand adoption
Generative AI used to
throughout the
While innovative AI applications like Copilot offer enhance productivity.
Limited Optimize data governance
organization,
exciting possibilities, it is crucial for organizations
To expedite this process in the realm of cloud
implementation and loss prevention. Use
continuously improve
to first understand their data perimeters. By doing 1 advanced capabilities
user behaviors
so, they can implement effective governance computing, generative AI applications can be used Limited implementation and accountability,
for risk management
controls and data loss prevention policies to prevent to suggest improvements to data loss prevention Prepare of generative AI. and compliance.
and extend data
governance to cover
overexposure and loss. Proactive measures must also policies. Our latest findings indicate that these data Restrict access to
all environments.
sites that may
be taken to safeguard infrastructure, devices, and applications can provide a quick and strategic Prepare your data contain sensitive files.
containers against data-targeted attacks. approach, particularly for engaging and convincing for generative AI. Leverage tools that
Focus on labeling data, provide visibility into
policy users and creators who may be initially
implementing controls, how users are using
resistant. Moreover, when there is a need to discover and educating users AI, which can inform
the data estate, the computational capacity of about data protection. stronger protection
generative AI can handle vast amounts of data, controls.

allowing for efficient governance.

Compliance managers have been able to discern
Links
the sensitive, unprotected data from other data,
and gain valuable time to approach the next steps. Whitepaper: Prepare your data for secure AI
An example of an interaction with a generative adoption | Microsoft Security Blog | Jul 2024
AI assistant would be: “Show me the unprotected Data security and compliance protections for
documents with sensitive information types in this Microsoft Copilot | Microsoft Learn | Aug 2024
SharePoint site I can access” and the AI assistant
would generate a successful eDiscovery query. Zero Trust principles for Microsoft Copilot for
Microsoft 365 | Microsoft Learn | Apr 2024
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 59

Data security continued Introduction Strategic cybersecurity Supporting the ecosystem Collective action

Cyber Point of View: Sweden

Using the cloud to protect The key learnings of this event were:
against ransom attacks ▪ It is crucial to have advanced detection
In November 2023 the Church of Sweden, a capabilities for identifying and mitigating
religious institution with over 5.4 million members data exfiltration with 24/7 active monitoring.
and 3,400 churches, was targeted by Russian Without this, the impact would have been
ransomware-as-a-service operator Blackcat. much greater.
Despite detecting the threat and acting quickly, ▪ The time window for patching critical
data was exfiltrated and a significant number of vulnerabilities has narrowed, from 14–30 days
systems encrypted before the threat was isolated. five years ago to a mere 24–72 hours today.
It took over two months to recover, impacting the This is in part because software vulnerabilities
Church’s ability to raise funds during the critical have become more prevalent as initial
Christmas period and to perform some services, access vectors.
such as funerals. ▪ It is important to have ongoing business
continuity planning that includes cyber threats
Since the Church’s cloud services remained in-
in order to minimize the disruption and
service, the Church was able to maintain its internal
inconvenience caused by such attacks.
and external communication through M365, which
was a key factor for maintaining effective crisis
communication throughout the crisis.
As has become common in recent years, not only
were the Church’s systems encrypted and data
exfiltrated, but the Church then faced an extortion
threat if it did not pay to prevent that data from
being published. Ultimately, a second threat actor,
Lockbit, published 2.3 million files after the Church
refused to pay.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 60

Data security continued Introduction Strategic cybersecurity Supporting the ecosystem Collective action

Hierarchy of cybersecurity needs

Drawing inspiration from Maslow’s hierarchy of needs, this graphic illustrates a prioritization of cybersecurity, starting with the most basic need:
protecting identities. AI has a role at each tier, underscoring its potential to enhance security measures. Cultivating a robust security culture
within the organization, helps ensure the technological defenses and human practices evolve in concert to mitigate threats effectively.

AU T O M AT E S E C U R I T Y O P E R AT I O N S I M PAC T…
Automating security operations is the holistic approach to building Automating processes at scale creates new opportunities
on perspectives and insights across all layers in the pyramid. for insights as well as relief for stressed defenders.

D E T E C T A N D R E M E D I AT E T H R E AT S I M PAC T…
Monitoring your ecosystem to identify anomalous The ability to identify and respond quickly can limit lateral

He
activity and contain threats. movement, contain damage to assets and deny persistence.

n
t io

alt
ra

hy
te g

ecs
S E C U R E D I G I TA L A S S E T S I M PAC T…

I in

ur
Digital assets, whether code, traditional data stores, and now -
Modern workloads deliver the value-add to end users

eA

it y
generative AI models are all key components of modern workloads. who increasingly rely on their integrity and availability.

ti v

cu
ra

lt u
ne

re
Ge
PROTECT ENDPOINTS I M PAC T…
Protected endpoints include the multiple dimensions of devices Effective endpoint protection can limit the
in use today – from PCs and mobile devices, to network and repercussions of unauthorized access.
operational technology (OT), and servers in datacenters.

PROTECT IDENTITIES I M PAC T…

“Attackers don’t break in, they log in.” Credentials for Strong identity security can greatly reduce risk
both individuals and machines are the perimeter of the —
exposure—particularly for ransomware attacks.
modern attack surface.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 61

Introduction Strategic cybersecurity Supporting the ecosystem Collective action

Threat-informed defense The Silo Effect

Thinking differently to address threats Defenders must adapt

Most organizations rate bugs according to
severity and how difficult they are to mitigate
to attacker’s mindset.
before assigning a team to fix them within a set
compliance window. However, what happens is
clashing prioritizations and silos with no knowledge
of an adversary’s attack path. Hence the saying: Defenders think in lists
“Defenders think in lists and attackers think
in graphs”.
Organizations have complex operating environments Attackers think in graphs
that require defenders to see across various vendors
in order to discover attack paths. Instead, they
should look to understand their critical assets and As long as this is true,
crucially how they are, or could be, connected. attackers win
The resulting view of an organization’s posture is
key to understanding the risk exposure to cyber
threats. By adopting an attacker’s perspective, the
prioritization of mitigation efforts is enhanced.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 62

Threat-informed defense continued Introduction Strategic cybersecurity Supporting the ecosystem Collective action

Pre-breach attack path analysis Critical asset management

It is imperative to thoroughly map an estate’s Attack path insights for threat-informed
- defense (June 2024)
Traditionally, organizations have leaned on all sorts
of different security tools to manage threat exposure “crown jewels.” This can include critical servers,
across their estate. This messy patchwork of highly privileged identities, sensitive data, or other
approaches however, can lead to exposure visibility assets. Microsoft data indicates that an average 10% 90%
gaps and efficiency challenges. <1% of organizational assets are of high interest
to attackers. of attack paths contain three steps or less of organizations are exposed to at least one
This makes it imperative for security leaders to reach attack path
a unified and comprehensive view of their estate and Attack path management
to both continuously and smartly prioritize exposure Organizations should identify the most likely attack 61% 3%
reduction efforts. Prioritization should seek to paths leading to critical assets and continuously of attack paths lead to a sensitive user account of organizations are exposed to more than 1,000
understand threats and attacker perspective, identify mitigate them. An attack path calculation attack paths
“crown jewels” of interest to the attacker, and both incorporates things such as asset inventories,
identify and mitigate any paths that lead to them. vulnerability/weakness data, and external attack 40% 80%
Three key components are required for threat- surfaces to construct a possible attack chain leading
of attack paths include lateral movement based on of organizations have attack paths that expose
informed defense: single pane of glass, critical asset to a critical asset. -
non-interactive remote code execution critical assets
protection, and attack path management.
14% 22%
Single pane of glass
of attack paths allow attackers to move from on-- of organizations had an attack path identified in
Organizations should consolidate threat exposure
premises to cloud environments the cloud
insights across their estate into a single view
covering cloud assets, on-prem devices, data, Links 1% 8%
identities, applications, network, and the Internet of Introducing Security Exposure Management -
Things (IOT). This should then be used to manage of attack paths start with a critically vulnerable internet-- of organizations have a chokepoint that is involved in
Microsoft Community Hub | Mar 2024 facing device at least 10 attack paths
top threats such as ransomware and business

<1%
email compromise, as well as exposure to threat Identifying and Protecting the Crown Jewels of
campaigns and actors. your Cloud | Aug 2024

80%
Exposure insights and secure score in Microsoft
Security Exposure Management | Aug 2024
of organizational assets are
One graph of everything - Microsoft Security of high interest to attackers
of organizations have attack Exposure Management Graph | May 2024
Source: Microsoft Security Exposure Management
paths that expose critical assets
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 63

Introduction Strategic cybersecurity Supporting the ecosystem Collective action

Optimizing governance Leaders must establish a system of accountability,

prioritization, and aligned incentives that is
Key elements should include: Tips to build security literacy:
Avoiding blame. Make it personal and human.
and accountability executed and monitored across the organization.
Unless there is a clear violation of professionalism Build training tailored to your organization and
They must delegate risk accountability, mitigation
or failure of due diligence, avoid assigning blame roles (so people can apply it easily and quickly).
When viewed as a business risk, cybersecurity is implementation responsibility, and associated
for security incidents. Blame invariably increases risk Relate stories about how attacks could happen in
everyone’s responsibility. As senior managers wrestle budgets/costs to leaders, managers, and individual
by poisoning a culture with fear and undermining real life, and teach people to use safe cybersecurity
with how to set up their organization’s governance, contributors, as accountability alone cannot create
the collaboration required for an effective practices at home and at work.
the need for a more responsible approach to a healthy culture. Unfunded mandates or the
coordinated defense.
operating models quickly emerges, particularly belief that “security is the security team’s job” will Make it clear.
when it comes to defining security responsibilities result in avoidable security weaknesses, increased Making sure learnings or issues don’t slip Always ensure people understand why it’s important,
for roles that sit outside the scope of the security burnout of security resources, and, in time, greater through the cracks. what they need to do, and how to do it through
team. These tasks are further complicated by how organizational cost. Security issues are often discovered through critical policy and education.
dynamic and rapidly changing the threats that thinking, fresh perspectives, and unexpected
Leaders must support mechanisms that incorporate Make it engaging and fun.
cyber challenges post to technology platforms and sources. Establish ways to capture inputs and
security into business unit KPIs/scorecards, inclusion
transforming business models. feedback regardless of where they are found (“See Use gamification, interactive hands-on components,
of security in enterprise business discussions among
something, say something” adage). positive reinforcement, and/or public recognition to
To manage this, organizations should adopt executives and boards of directors, and security
keep people engaged.
comprehensive, clear, and adaptable operating education for all roles. They must also evaluate the Sharing responsibility.
models. Their culture and governance structure systems of financial incentives in place, including Make it easy.
Organizational leaders must normalize security as
must make it clear that security is everyone’s role, those at the senior level to ensure good security Most people prefer to take the easy path in all
part of everyone’s job. Everyone in the organization,
providing clear guidelines, and building in flexibility behavior is prioritized and rewarded. They must also things, so ensure the security behaviors you want to
including board members, must have basic literacy
to accommodate changes in the threat landscape. publicly promote the idea that security is important, drive are simple and straightforward.
of cybersecurity threats, a sense of personal
Cybersecurity incidents are like forest fires: they can and demonstrate that everyone is expected to responsibility for security, and clarity on their role
start anywhere and spread anywhere within minutes. collaborate to solve security problems. in security.
Organizations should focus their security culture and
Establishing cross-team processes and goals is
governance efforts on accountability, teamwork, and Requiring cross-team training and learning. Organizations should focus their
crucial, as many people have never even worked
shared responsibility. Fostering understanding, empathy, and repeatable
with other teams on security issues and very often security culture and governance
Accountability always starts at the top, with cross-team processes enables teams to work well
don’t know who to work with in the first place.
together on security. This typically requires ongoing efforts on accountability, teamwork,
organizational leaders who not only understand Shared goals must be reflected in performance
their responsibility for security outcomes but focus, reinforcement, and practice to overcome and shared responsibility.
metrics for executives, teams, and individuals
ensure that security risk management is embedded past habits.
throughout the organization.
across their business in an organization-wide and
collaborative way.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 64

Introduction Strategic cybersecurity Supporting the ecosystem Collective action

Security incident decisions: Dispatches from the field Communication Communication does not end once the incident
is resolved. Ongoing updates on the progress,
Without accurate information and established root cause analysis, and preventative measures
Security incident decisions communication lines, key data may be lost or poorly are vital. Providing regular post-incident
relayed during a security incident. A company communication that includes lessons learned
should therefore tailor its communication based and actions taken to prevent future incidents
on its audience, for example: company executives, demonstrates transparency, builds trust, and shows
Preparation Communication Execution regulatory bodies, employees, and the public. the organization’s commitment to security and
Each group requires different levels of technicality. continuous improvement.
Microsoft’s Incident Response (IR) team are the First Responders of the cybersecurity space.
Executives need brief, high-level summaries that
Similar to how police, fire or, paramedics are called to the scene of an accident, the IR team must quickly focus on the impact on business operations Execution
assess the situation, devise a plan, and take immediate action. And just like how society has come to and steps being taken to resolve the issue. In terms of technical preparation, execution
depend on the lessons First Responders have gleaned over decades of service, the real-world experience Regulatory bodies require detailed reports that encompasses all aspects for which a company
of our IR teams can be used as a template for organizations to better prepare for cyber incidents. comply with legal and industry-specific regulations. can plan.
In particular, we highlight three categories: preparation, communication, and execution. Communication with the public is equally important
Established playbooks not only consist of procedural
and should provide transparent and reassuring
plans to contain, recover, or remediate risks, but
messages that protect customers’ trust and address
also include actionable steps to address these
their concerns without revealing sensitive details.
Ever wondered why First Responders are able to tasks. Common examples include: containment and
Preparation A similar approach should be taken for internal
control an emergency so quickly and confidently? recovery of identity systems which may require a
It is crucial to have a well-prepared response plan communication. Establishing a single source of mass password reset.
1 Preparation in place before an incident, as scrambling for key truth for employees—an internal communications
Other containment actions need to be taken into
2 Established playbooks information during an incident can be chaotic. channel or newsletter—is important for reducing
account. What measures, technologies, tools, or
This means identifying key decision makers, misinformation. In situations where established
practices should be followed in the event of a
business-critical applications and services, roles communication channels could be compromised,
Too often, IR teams find their customers don’t compromise on multiple client systems? Although
and responsibilities, and response and recovery having an alternative communication channel
have a reporting plan in place. This means it takes a company may have excellent security tools in
processes well in advance. Not having this is crucial.
precious time to understand the needs of each place, their effectiveness is diminished if the team
individual stakeholder and establish the necessary information at hand leads to longer recovery times
responsible for managing them lacks proper training.
line of reporting. and higher impacts on the business.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 65

Security incident decisions: Dispatches from the field continued Introduction Strategic cybersecurity Supporting the ecosystem Collective action

Additionally, recovery actions (such as recovering ▪ Technical decision makers and operations
data rendered inaccessible by the threat actor) can personnel are also crucial during incidents as Cyber Point of View: Latin America
be beneficial. Organizations do not always have the they possess deep knowledgeof dependencies.
chance to practice these actions and this lack of ▪ To navigate the legal aspects and maintain Tough lessons for board members Following the simulation, Microsoft facilitated
familiarity with recovery practices can significantly compliance, a legal team (internal and/or about cybersecurity dialogue and knowledge exchange among
impede attempts to restore the environment in a external) is critical especially when incidents the participants, underscoring the power of
Microsoft recently launched an initiative that
timely manner during incidents. A mature playbook involve sensitive data, such as personally collaboration in addressing cybersecurity
brought together unions like the Instituto de
process can be compared to fire drills at a work site. identifiable information (PII). challenges. This exercise showed how experiential
Directores de Chile, IDirectores, Icare, and Women
Many companies regularly test their preparedness learning and collective engagement can enhance
Corporate Directors and board members from
for a fire emergency, but only a limited number Lack of preparedness simulation exercises board members’ understanding of cybersecurity
over 150 companies in Mexico, Chile, Colombia,
do the same with cybersecurity. This reinforces ▪ To prepare for incidents, nothing is more effective and strengthen an organization’s resilience.
and Peru.
the importance of preparation, including creating than conducting mock or tabletop exercises.
tabletop exercises and conducting drills to validate ▪ These exercises equip individuals with the skills The initiative simulated a cyberattack on a retail
their effectiveness. and knowledge to handle real incidents and company during the peak of Cyber Monday,
provide valuable insights about areas in need to serve as both a crisis management test and
The following are the most common challenges an opportunity for learning and collaboration.
we encountered during IR engagements: of improvement.
It was executed without alerting the participants
Reporting lines are not clearly defined beforehand and began with a phishing email
▪ Reporting lines are needed to make the right sent to an employee, and the board members’
decisions and keep everyone informed of current responses provided valuable insights into
ongoing tasks, investigation and recovery organizational preparedness and areas
progress, and business impact. for improvement.

Roles and responsibilities are not clearly defined

▪ Having unclear definitions of roles and
responsibilities can hinder the effective and timely
response to security incidents. The speed of
recovery necessitates prompt decision-making.
▪ Business decision makers have a crucial
Links
role in defining business-critical services,
making investment decisions, and setting Creating a proactive incident response plan |
company strategy. Microsoft Security Blog | June 2024
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 66

Introduction Strategic cybersecurity Supporting the ecosystem Collective action

Resilience maturity
Within the dynamic realm of cybersecurity, the IR team regularly confronts a wide spectrum of customer challenges. Drawing from this rich
experience, we have found that an organization’s resilience maturity can be determined based on four pillars: Operational, Tactical, Readiness,
and Strategic. Maturity in each of these pillars is categorized as either Basic, Moderate, or Advanced.

Operational Tactical

For day-to-day IT operations, good preparation and maturity can ensure that an organization has Prepare for initial response to an incident to respond logically and efficiently.
good visibility of its estate, documented reliable playbooks, and rapid response capabilities based ▪ Maintain detailed and practiced IR plans with clear actions to be taken in the event of an incident.
on automation. ▪ Provide IR and threat-hunting teams with a clearly defined scope for proactive security hardening
▪ Deploy an endpoint detection and response solution on all desktops and servers, with a dedicated duties. Enforce strong phishing resistant MFA for all user accounts.
security operations team whose primary role is monitoring and actioning alerts. ▪ Establish a ready, out-of-band communication channel in case there is a severe infrastructure
▪ Automation within an existing SIEM / SOAR solution. compromise. This helps to ensure timely and secure communication with dedicated update meetings
to keep all participants informed.
▪ Test, tune, and actively manage custom playbooks and adjust them to specific needs.
▪ Implement firewall and endpoint containment capabilities. Set up mass password reset capabilities
▪ Implement a multi-tier security operations center (SOC), where common alerts are automatically and automatic attack disruption mechanisms.
triaged. Establish a feedback loop to improve playbooks and adjust environment hardening.

Readiness Strategic

Prepare for a cybersecurity incident. Take steps to improve overall security posture in the longer term.
▪ Require employees to complete training and demonstrate understanding of material before granting ▪ Actively managed software and technology, with planned migration and modernization projects to
continued access to company resources and data. keep infrastructure up to date. Proactively implement new technologies.
▪ Conduct continuous access reviews for company resources and data. ▪ Conduct proactive and automatic vulnerability scans on a scheduled basis, for impact analysis on newly
▪ Implement service level agreements for recovery time and recovery point objectives. published vulnerabilities. Track and follow up on mitigations. Ensure scheduled maintenance windows.
▪ Maintain up-to-date infrastructure diagrams and documentation across entire environment. ▪ Clearly define access and authorization strategy to implement zero trust principles. Clearly define and
enforce just-in-time (JIT) and just-enough administration (JEA).
▪ Compare changes against an existing desired state before implementing them. Regularly update
documentation to reflect these changes. Maintain detailed asset management, including location, ▪ Use passwordless authentication for all identities, privileged or otherwise.
owner, and automatic device discovery, and with device compliance. ▪ Implement zero trust strategy with a clear desired future state, including continuous evaluation,
▪ Enforce strict compliance policies to ensure only compliant devices have access to company resources. improvement and defined timelines.
▪ Conduct tabletop exercises on a regular basis. Track and implement feedback and conclusions.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 67

Introduction Strategic cybersecurity Supporting the ecosystem Collective action

Supporting the ecosystem

The passkey journey: device and are never shared with a site or service.
Some passkeys sync between devices, meaning
Instead of vulnerable secrets or potentially
identifiable personal information, a passkey Actionable Insights
a story of collaboration users can recover them if they lose or upgrade uses a private key stored safely on the
user’s device.
their device. Others are bound to the device. 1 Consumers: look for the passkey logo to
across the industry And last but not least, passkeys are much more Platform support for creating and managing identify websites or services that support
convenient for users as people no longer have to passkeys is the first step towards mass adoption. passkeys. Create and use passkeys
Passkeys perform a simple function. They offer users wherever possible.
worry about creating, remembering, resetting, or According to the FIDO Alliance, more than 140 major
faster, easier, and most critically, more secure sign-
losing passwords. Passkeys can be stored in a variety websites had added support for passkey sign-in as 2 Security professionals: give vendors
ins to websites and apps across their devices than
of industry solutions including Windows Hello, of June 30, 2024, including Amazon, Best Buy, CVS feedback to help shape the future of
password-based methods.36
hardware security keys, mobile devices, and third- Specialty, eBay, Home Depot, Instacart, Lowe’s, passkeys. Ask whether they support
Instead of vulnerable secrets or potentially party credential managers. PayPal, PlayStation, Shopify, Sirius XM, Stripe, Target, passkeys and explore whether their
identifiable personal information, a passkey uses Uber, WhatsApp, X, and Yahoo, plus services from implementation supports your use cases.
Industry-wide efforts to eliminate passwords
a private key stored safely on the user’s device. Apple, Google, and Microsoft. Public sector support
in favor of phishing-resistant authentication 3 Software developers: visit the FIDO
It only works on the website or app for which the for the FIDO2 standard is gaining momentum and
are gaining traction. Passkeys represent the Alliance website for resources on how to
user created it, and if that same user unlocks it with national agencies in at least six countries as well as
most significant collaborative effort thus far. add passkey support to your website, app,
their biometrics or PIN. This means passkey users some US state and local governments are now using
Adoption has accelerated after operating system or service.
can’t be tricked into signing in to a malicious look- FIDO2 technology.
providers and password managers made it easy
alike website, and are unusable unless the user is
to issue passkeys and bind them to hardware. As industry support for passkeys grows, general
present and consenting. These are some qualities
Members of the FIDO Alliance37 and the World awareness will increase as a natural consequence.
that make passkeys a “phishing-resistant” form
Wide Web Consortium (W3C) worked together on Makers of operating systems, platforms, and
of authentication.
the standards. They include vendors who create credential managers, as well as relying parties
Passkeys are not only more secure than passwords, browsers, operating systems, and hardware security such as providers of consumer-facing websites, are
Links
but also are easier to use and manage. Signing in keys, as well as banks, hardware platform providers, working with the standards bodies to make the
requires a simple unlock gesture: looking into the major retailers, and government bodies. All major passkey experience even easier and more secure. Public preview: Expanding passkey support in
device camera, pressing a finger to a fingerprint operating systems, browsers, and mobile platforms In the meantime, the message for anyone concerned Microsoft Entra ID | Microsoft Community Hub
reader, or entering a PIN. Neither biometric now support passkeys. about cyber security is clear: passkeys are better | May 2024
information nor the local PIN ever leaves the than passwords and most forms of legacy MFA.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 68

The passkey journey: a story of collaboration across the industry continued Introduction Strategic cybersecurity Supporting the ecosystem Collective action

Cyber Point of View: France

Enhancing France’s The kit is available in French and English and
cybersecurity workforce can easily be translated into different languages
and tailored to specific countries. Its flexible and
France is grappling with a deficit of 60,000
adaptive nature, coupled with its open-source
cybersecurity experts, a part of the broader
availability on GitHub, allows for continuous
European shortfall of 300,000 professionals. In the
updates and customizations. This makes an
face of this acute shortage, the local Microsoft
excellent resource to attract interest in the
cybersecurity team developed the “Cybersecurity,
cybersecurity field. Since its pilot in May 2022, the
My Future Job!” pedagogical kit.
kit has been used not only with students, but also
The kit is part of a wider cybersecurity skills in corporate training settings as well.
training plan launched in 2022 and was created
using existing local content from ANSSI, CNIL,
and Cybermalveillance.gouv.fr, all of which are Links
French organizations dedicated to cybersecurity Cyber Kit | Jun 2024
and privacy.
Microsoft lance son Plan Compétences
It is designed to help young people (15 to 21 Cybersécurité pour former 10 000 nouveaux
years old) better understand cybersecurity issues professionnels en France en 3 ans | May 2022
and discover associated professions. It features
independent modules that can be completed
in a one-hour session or extended to a half-day
workshop and two guides: one for participants and
one for facilitators.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 69

Introduction Strategic cybersecurity Supporting the ecosystem Collective action

Critical environments A three-step action plan: insights from

testing OT applications
Based on this work we’ve identified three core
actions that, if taken by the operations technology
▪ Electrical power monitoring systems: These
systems monitor electrical power aspects such
Our previous Microsoft Digital Defense Reports have industry, would significantly improve the security of as frequency, voltage, and wattage. They are
Our global datacenters rely heavily on OT
shown that while IT hardware and software security systems across the industry: passive systems connected to power meters and
equipment, such as sensors and actuators.
has strengthened, the security of IoT and operational circuits, focusing on monitoring and situational
These devices are pivotal for managing critical 1 Adopt modern authentication for users
technology (OT) devices has not kept pace. In this awareness of the health of all electrical systems
processes including power management and cooling and devices.
section we offer security stories from the critical in orchestration of power flowing to customer
systems within our infrastructure. Recognizing the
infrastructure frontline.
2 Enable centralized device configuration facing servers.
need to secure these foundational technologies,
management and secure apps and devices ▪ Battery monitoring systems: These continuously
At Microsoft, we manage a large and growing Microsoft has spearheaded a crucial initiative over
by default. assess the health and performance of batteries
estate of OT devices essential to the operations of the past four years aimed at fortifying the security of
third-party OT applications which are integral to not 3 Implement a Secure Development Lifecycle under different load conditions to ensure
our global datacenters. The following section of
only our operations but also the wider ecosystem. (SDLC) program for product development that is datacenter availability by preventing battery
the report details our experiences managing this
certified by independent security experts. backup failures.
infrastructure in two important aspects: building Our targeted security program reviewed these
and operating a program for reviewing the security third-party OT applications to identify and address Building on this, the goal of any OT application
of third-party OT applications, and managing the potential vulnerabilities, to help ensure their Types of OT systems in datacenters security review program is to:
unique process of updating fleets of OT devices to robustness and reliability. The initiative not only The OT infrastructure systems in datacenters ▪ Identify and mitigate security vulnerabilities.
address security vulnerabilities. bolstered the security posture of our datacenters are critical for maintaining operational integrity Identify security vulnerabilities within third-
but significantly contributed to enhancing security and safety, focusing on ensuring optimal party OT applications, which are critical for the
Security stories from the frontline of OT
standards across the OT industry. environmental conditions and monitoring essential operation of datacenters.
Threat actors are now exploiting OT devices to do operational parameters:
We shared the findings from our reviews with the ▪ Ensure operational integrity. Review and
everything from accessing critical and operational
respective vendors of the products evaluated, ▪ Industrial control systems (ICS): Also referred secure OT applications that manage critical
networks, to enabling lateral movement, establishing
creating a collaborative environment for knowledge to sometimes as OT, these systems monitor infrastructure, such as the above-mentioned
a foothold in a supply chain, or disrupting the
sharing and mutual improvement in OT application hardware to ensure everything runs at optimal systems. This is vital for maintaining the
target’s OT operations.
security. Raising the security bar in this way, the levels. They include sensors and devices for availability and reliability of services.
products are being made more secure for the whole managing power and environmental conditions ▪ Offer compliance and risk management.
industry. For instance, this collaborative approach within datacenters. Conducting security reviews helps in compliance
has led to significant security enhancements in ▪ Building automation systems: These systems with internal and external security standards
products such as power monitoring systems, which are focused on cooling systems, HVAC, water and regulations. It also plays a significant role in
now integrate more securely with Windows Server chillers, and other mechanisms for producing risk management by proactively identifying and
Active Directory, marking a substantial improvement cold air. They are considered active systems with addressing security risks.
from non-directory based accounts. moving parts like fans, water chillers, and pumps.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 70

Critical environments continued Introduction Strategic cybersecurity Supporting the ecosystem Collective action

Inherent risks of vulnerabilities

in OT equipment Emerging challenges and trends As of July 2024, we had
▪ Health and safety: The exploitation of Looking ahead, we are seeing a number of trends that will increasingly impact OT security. identified and shared over
vulnerabilities in OT software can lead to
300 vulnerabilities in third-party
significant health and safety risks. For example, 1 ICS/OT solution providers, like all solution 3 ICS/OT attack frameworks and toolkits that
if the cooling systems in datacenters are providers, aim to integrate and upgrade their support OT devices and protocols used
OT applications. The initiative
compromised, it could lead to overheating, existing solutions with modern cloud and for critical industrial processes are being contributed to significant
posing a risk to both the equipment and AI/ML-based solutions for industrial control developed and used by malicious actors. improvements in security
individuals within the facility. processes. While these advancements are across the OT industry.
4 Automated and AI enabled attack techniques
▪ Service disruption: Vulnerabilities can lead to exciting, they also challenge the effectiveness create a sophisticated global attacker
disruptions in datacenter operations, affecting the of existing security controls and network workforce that never sleeps and is always
availability of services to customers. isolation techniques for critical processes. looking for vulnerabilities in security defenses.
▪ Data breach and loss: Security weaknesses could 2 Wireless networking is now prevalent in 5 Securing ICS/OT systems is challenging
enable unauthorized access, leading to data consumer and business technology products, because change is purposefully avoided to
breaches or loss of sensitive information. and is increasingly appearing in OT products ensure the process always works and can
▪ Reputational damage: Incidents resulting from as well. These wireless capabilities must have decades-long lifecycles in production.
unaddressed vulnerabilities can damage the evolve to meet the needs of industrial These systems risk becoming collateral
service provider’s reputation, affecting customer control environments before they can be damage even when not directly targeted
trust and business continuity. further adopted. by attackers.
▪ Compliance violations: Failure to secure
OT equipment can result in violations of
regulatory requirements, leading to legal and
financial consequences.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 71

Critical environments continued Introduction Strategic cybersecurity Supporting the ecosystem Collective action

Categorizing the vulnerabilities Critical 5% 13% 6%

Resource
As of July 2024, we had identified and disclosed and high consumption 16% 11%
Unencrypted
network
Information
disclosure
over 300 vulnerabilities to suppliers through our vulnerabilities Vulnerable and
outdated dependencies
Plaintext communication
secrets
OT application review initiative. This work offers a discovered 38%
Security misconfiguration
unique perspective on the types and risks of security in the critical
weaknesses in OT equipment. environment
disciplines for 18% Building automation systems
The most common security vulnerabilities we
datacenters
identified, prioritized by risk and impact, are: 37% 13% 25%
16%
Security misconfiguration Code injection Vulnerable and
Authorization
▪ Outdated authentication: Vendors should outdated
dependencies
adopt modern authentication methods, such
as integrating Windows Server Active Directory 22% Ancillary applications
for identity management, to enhance security
through Kerberos security groups, password 6%
Authorization
complexity, and rotation policies. 5%
Information 39%
▪ Insecure configurations: OT applications disclosure Security misconfiguration
11%
should be secure by default and not contain Identification and
built-in passwords or accounts that could pose a authentication
20%
security risk. They should also comply with secure Authorization Vulnerable and outdated
communication protocols like current versions 20% dependencies
40%
of TLS. Vulnerable
and outdated
▪ Outdated legacy libraries: Vendors should
update legacy software libraries, which are often
dependencies
51% Electrical power monitoring systems
6% Other
outdated and contain numerous vulnerabilities.
Updating, however, is a significant challenge due 20% 20%
Identification Unencrypted network
to the resources required for updates and the and communication
authentication 23%
potential impact on application functionality. Identification and authentication
tems
g sys
itorin
5%
ry mon 5% Unencrypted
3% Batte Plaintext network 9%
33% secrets communication Code injection
Source: Microsoft 67% Security Vulnerable
third-party OT & outdated
application misconfiguration
security assessments dependencies
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 72

Critical environments continued Introduction Strategic cybersecurity Supporting the ecosystem Collective action

The challenges of securing OT 1 Latency and Performance: Implementing security Network security of embedded devices
networking protocols measures like encryption can introduce latency While an application security program effectively
Actionable Insights
The OT environment is unique place. It has due to the need for additional processing, such as secures customer-owned managed devices, 1 Consider adopting a formal application
special characteristics and legacies that have SSL handshakes (Secure Sockets Layer connection datacenters face challenges from unmanaged
security review program for critical
resulted in the use of insecure networking to establish an encrypted link between client and employee devices, vendor equipment, and IoT/
OT assets.
protocols. Addressing these challenges is server to enable secure data transmission), which OT devices.
essential for improving the security posture of OT can impact real-time operational requirements. 2 Recognize the need to find a balance
These devices often fall outside of established between timely deployment of security
environments and protecting critical infrastructure 2 Legacy Systems Compatibility: Many OT systems security policies, presenting risks due to their patches and maintaining availability.
from emerging threats. For example, the lack of rely on older, inherently insecure protocols that diverse nature and the organization’s limited direct
encryption for backend network traffic poses a lack modern security features. In some cases, 3 Leverage solutions that build inventories
control and necessitating a different strategy to
risk if adversaries gain network access, including the hardware is not powerful enough to run of OT assets, prioritize risks, and help to
address them.
operational disruptions and potential sabotage. encrypted protocols. Upgrading these systems identify malicious network activities.
Other key challenges leading to insufficient security to support secure protocols can be challenging For example, runtime OT monitoring is an
protocols include: and costly. essential solution that helps organizations keep
a comprehensive inventory of devices (including
3 Certificate Management: Secure protocols
all information on operating systems, firmware,
often require managing digital certificates for
vendors, and models), assess the potential risk
authentication and encryption. This can be
exposure from these devices, and detect any signs
complex, especially for devices with limited
of malicious activity in real-time.
computational resources or in environments with
a large number of devices. Firmware analysis on embedded devices can also
be used to automate the identification of potential
4 Operational Priorities: In OT environments,
security vulnerabilities in these devices and
the priority is often on maintaining availability
identify and prioritize which devices need to be
and operational continuity. Security measures
patched when new vulnerabilities are discovered.
that could potentially disrupt operations may
The additional layer of network security can be
therefore be deprioritized.
achieved using a non-intrusive tool (passive) and
5 Resource Constraints: Developing and without any impact to the environments using a
implementing secure protocols requires dedicated network sensor or utilizing agents running
significant resources, including skilled personnel on the managed devices that can act as a data
and financial investment. Organizations may source to secure those unmanaged OT devices in
struggle with allocating the necessary resources the datacenter and without any deployment activity.
to enhance security.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 73

Critical environments continued Introduction Strategic cybersecurity Supporting the ecosystem Collective action

Cyber Point of View: Africa

Increasing the cyber resilience Microsoft was also the first industry supporter of
of emerging economies the Accra Call for Cyber Resilient Development,
now endorsed by over 50 governments. The Accra
Emerging economies continue to struggle with the
Call is a critical commitment, emphasizing the need
rising tide of cybersecurity threats. As a founding
for global action by focusing on the needs and
member of the Global Forum on Cyber Expertise
priorities of developing countries.
(GFCE), Microsoft partnered with like-minded
governments to tackle this risk through the first
Global Conference on Cyber Capacity Building
Links
(GC3B)38, in Ghana.
Bridging the cybersecurity gap: a collaborative
With over 1,000 delegates including international compendium for global development |
leaders, decision-makers, and cybersecurity Mar 2024
experts, the conference aimed to foster effective,
sustainable, and inclusive cooperation for cyber
resilience in emerging economies.
We announced our commitment to support GFCE’s
new Africa Hub, a regional initiative helping to
address cybersecurity issues through local and
regional means. Additionally, we brought to
conclusion our workstream on mainstreaming
cybersecurity into international development,
issuing sets of recommendations in partnership
with the Swedish Ministry of Foreign Affairs,
the International Telecommunications Union,
and GFCE.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 74

Critical environments continued Introduction Strategic cybersecurity Supporting the ecosystem Collective action

Managing software and firmware updates A fundamental difference between traditional IT Difficulties in updating software ▪ Updating software in production
in the critical infrastructure environment and OT is the need to prioritize systems availability. in the OT environment environments: This is not as simple as just
This is because the OT infrastructure is supporting installing an update: it involves extensive
Last year, we highlighted research that used Compared to traditional IT software, there are
critical services where disruptions and outages could testing to ensure updates do not disrupt the
customer telemetry to show that while OT security several key points to consider:
have significant, even life-threatening consequences. operational functionality or introduce new
vendors were patching critical vulnerabilities,
At its core therefore, managing the update process ▪ Availability is paramount: In datacenters, the vulnerabilities. Updates must be carefully planned
there was a significant delay between the patches
is a supply chain integrity issue: managing the primary function of OT systems is to ensure the and executed to avoid any disruption in service.
becoming available and when they were deployed—
equipment, core software, component origin and continuous operation of critical infrastructure, This often means that security patches and
in some cases, up to 10 years.
how they changed between updates. Any deviation such as power management and cooling systems. updates may be delayed or scheduled during
In the following section, we explore the OT software from expected operations or incompatibility in an Any disruption in these systems could lead to maintenance windows to minimize impact on
update challenge by using our Azure datacenters update can cause an outage, and this is difficult for significant operational issues, including potential availability. The challenge is to balance the need
as a case study: showing that increased software vendors to manage. downtime of services provided by the center. for security with the imperative of maintaining
security only works when it’s actually deployed. ▪ Security as a component of availability: uninterrupted operations.
For example, we saw variations in firmware versions
While availability takes precedence, security is ▪ The “infinite loop” challenge: Teams that
of a cooling system take out multiple datacenters.
not ignored. It is considered a component of manage our datacenters face the “infinite loop”
Contrast this with our fully cloud-managed system
availability, since security breaches can lead to problem, where updating to a new version of
where we control the entire supply chain and
service disruptions. Therefore, security measures software to address security vulnerabilities can
regularly update hundreds of thousands of devices
are implemented in a way that they do not introduce new vulnerabilities or dependencies,
in under two days without outages. We highlight
compromise the availability of the OT systems. leading to a cycle of continuous updates.
this approach as a north star for addressing the OT
update challenge, but recognize it is one that will This creates a situation where organizations are
take years to achieve. always carrying some level of security debt, as
new updates can potentially introduce new issues.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 75

Critical environments continued Introduction Strategic cybersecurity Supporting the ecosystem Collective action

Managing the OT software supply chain Datacenter outages caused by firmware version mismatch
Actionable Insights
OT applications and devices can be complex, with
hardware components, operating systems, core Based on our OT experiences with our
software, and supporting libraries sourced from a datacenters, we recommend the following:
wide variety of suppliers. 1 Vendors should provide clear
For a clean, seamless software update, all these documentation on the changes each
elements need to be controlled so that devices update brings, including any new
continue to operate as expected—if not, there is a vulnerabilities introduced. This transparency
risk of service interruptions and downtime. can help security teams make informed
decisions about updates.
This end-to-end control of a device update is very
difficult to achieve, and results in the “infinite loop”
2 Encouraging vendors to provide
cycle described above, impacting both vendors and incremental updates that fix current
security teams. Vendors often suggest upgrading to issues without introducing significant new
the next version as a solution to vulnerabilities found features can minimize the introduction of
in the current version, but this too can introduce new new vulnerabilities.
vulnerabilities. This cycle is challenging for security 3 Security teams should work closely with
teams as it becomes very difficult to achieve a state vendors to understand the impact of A recent real-life datacenter outage provides This resulted in a “packet storm” on the network
of minimal vulnerabilities. updates and prioritize fixing of critical a compelling case study on the challenges of controlling these devices, with high volumes of
vulnerabilities that do not introduce software updates in the OT environment. messages being passed between the devices.
significant new issues. As a result, the devices ran out of memory and
In our datacenters, OT cooling management
restarted. As they came back online, the devices
systems monitor the temperature, adjusting both
operated at a low fan speed. As a result, significant
fan speed and air flow to keep servers within an
parts of the datacenter computer infrastructure
acceptable operating range. If they fail the server
experienced a spike in temperature and had to be
will overheat, and to prevent physical damage the
shut down.
servers will be shut down.
This outage occurred across multiple centers.
In this particular case, a firmware update was deployed
While the teams quickly identified and resolved
to these systems, but due to a bug the devices with
the issue, it highlights how firmware updates
the new firmware did not communicate properly
implemented without significant testing can
with the devices running the previous version.
potentially cause unexpected outages.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 76

Critical environments continued Introduction Strategic cybersecurity Supporting the ecosystem Collective action

Experiences with fully-managed Key steps included:

device updates We consistently see updates ▪ Building verification tests: These tests, both Links
Our north star for OT software updates is one where deployed at scale to the entire hardware and emulated software, validate that Exposed and vulnerable: Recent attacks
all components in the software and device supply the update compiles correctly and maintains the highlight critical need to protect internet-
fleet of devices. Typically, expected contract with applications. This ensures
chain can be controlled to minimize unexpected exposed OT devices | May 2024
changes in device behavior on update. hundreds of thousands of that updates do not break existing functionalities.
devices are updated within Microsoft to help rural hospitals defend against
▪ Strict contractual layer: Azure Sphere maintains
A good example is our experience in managing rising cybersecurity attacks - Stories | Jun 2024
updates for Azure Sphere, which combines 48 hours of deployment with a strict contractual layer guaranteeing application
hardware, OS, and a fully cloud-managed no production outages or compatibility across OS updates. This means
applications are assured to run independently
application and security environment. This allows downtime issues reported. of OS updates, allowing for predictable behavior
control and visibility over the end-to-end supply
post-update.
chain of the product. Achieving this requires a
comprehensive test and development lifecycle ▪ Customer and Original Equipment
process to ensure updates can be deployed to Manufacturers (OEM) testing: Before an update
the entire fleet simultaneously, maintaining high is released to the retail environment it undergoes
standards of reliability and security. testing by customers and OEMs in a retail
evaluation setting. This step allows for real-world
Approaches like this will not be applicable in
testing and validation, ensuring that updates do
every OT environment, and the costs on the
not introduce new issues.
vendor side are not insignificant. However, we
do see this as a long-term approach to address ▪ Scheduled updates: The Azure Sphere
security vulnerabilities in the OT environment while platform allows for updates to be deferred,
maintaining the availability promises required to accommodating operational requirements.
protect critical infrastructure. This flexibility ensures that updates do not
disrupt critical operations.
▪ Fleet management at scale: Azure Sphere
supports fleet management capabilities, allowing
for updates to be managed and deployed across
devices at scale efficiently. This includes the ability
to set configurations remotely and manage
devices autonomously.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 77

Introduction Strategic cybersecurity Supporting the ecosystem Collective action

Collective action

The digital transformation Beyond NATO, Ukraine’s digital transformation of

the defense sector has showcased the effectiveness
of defense and a call for of industry-government collaboration and the use
of commercially available technologies in real-world
partnership security situations. Microsoft believes that structures
like NATO can complement national efforts in
Hybrid warfare, cyberattacks, and foreign influence
advancing the digital transformation of defense,
operations pose grave risks not just to IT systems,
as they help to maintain a broad perspective on
but to the stability, prosperity and national security
standardization and interoperability efforts and
of society itself.
ensure scale across an alliance.
As cyber risks take on more real-world consequences,
digital technologies can be powerful tools to enhance RAISE: The Roundtable for AI, Security,
our traditional defense capabilities. However, to and Ethics
make this a reality, we need a deeper partnership The Roundtable for AI, Security, and Ethics (RAISE)
between industry and governments to implement exemplifies the power of collective action through
the digital transformation of the defense sector. strategic partnerships and inclusive dialogue.
Technology and initiatives touching on AI and Led by the United Nations Institute for Disarmament
cybersecurity were front and center at the Research (UNIDIR) and launched in partnership with
recent 75th summit of the North Atlantic Treaty Microsoft, RAISE is an initiative dedicated to AI for
Organization (NATO). Cloud computing, AI, and national security, grounded in international legal and
quantum computing all have a role in cybersecurity, normative frameworks.
but their impacts on our collective defense can only
be maximized through joint action and collaboration
in defense innovation. Initiatives like the NATO’s
Defense Innovation Accelerator for the North
Atlantic (DIANA) and the NATO Innovation Fund
(NIF) exemplify the strength of these collaborations.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 78

The Digital Transformation of Defense and a Call for Partnership continued Introduction Strategic cybersecurity Supporting the ecosystem Collective action

RAISE launched in March 2024, assembling 4 Data practices: RAISE’s data practices initiative
experts from industry, academia, civil society, examines how data is sourced, curated, and used
and government. Initial participants included in AI systems, addressing issues such as biases,
representatives from China, Ecuador, India, Israel, explainability, and auditing to ensure responsible
Japan, Namibia, Russia, Switzerland, the UK, the US, and lawful AI in national security.
and others who worked to identify shared interests,
5 Lifecycle management: RAISE promotes
enhance cooperation, and generate actionable
governance approaches that manage AI
recommendations. Its goals are to reduce the
technologies across their entire lifecycle,
risks of AI in national security, support multilateral
emphasizing ethical and legal considerations
AI governance, and promote AI to enhance
“by design” to ensure responsible integration
security globally.
and disposal within existing systems.
This is done through six priority themes: 6 Destabilization: This initiative explores the
1 Trust-building: Establishing trust in AI security implications of AI as both a force-
development, deployment, and governance is multiplier and threat-multiplier, aiming to
crucial for national security. RAISE’s trust-building develop governance solutions that mitigate
initiative promotes transparency, accountability, risks of AI-related destabilization and contribute
and adherence to international norms, setting the to global stability.
stage for responsible and ethical AI governance.
2 Developing the knowledge base: RAISE
aggregates and analyzes authoritative research
to inform policy decisions and guide the
application of international law and norms in AI
for national security, building a comprehensive
knowledge base.
3 Integrating the human element: This initiative
focuses on the ethical, social, and psychological
aspects of human-AI interactions and decision-
making, ensuring that AI governance is rooted in Links
principles of human-centered design, inclusivity, RAISE: The Roundtable for AI, Security, and
and ethical responsibility. Ethics - UNIDIR
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 79

Introduction Strategic cybersecurity Supporting the ecosystem Collective action

How Microsoft helps Detection. Microsoft uses advanced tools and

capabilities to monitor, analyze, and attribute
support democratic malicious activities or campaigns that aim to disrupt,
influence, or manipulate elections and elections
elections infrastructure. We leverage our global network of
partners and sources to gather intelligence on the
During this unprecedented period of critical
threat landscape and the actors behind it.
elections taking place around the world, Microsoft
has worked to defend democratic institutions by Response. Microsoft responds to and mitigates
combatting malicious schemes designed to disrupt the threats to elections around the world through
or influence electoral processes and promoting a several means. The Digital Crimes Unit uses
healthy information ecosystem. Our initiatives stem its legal and technical expertise to disrupt the
from four key principles: malicious activities and campaigns intended
1 Voters have a right to transparent and to compromise, sabotage, or interfere with the
authoritative information regarding elections. elections. Microsoft Incident Response and other
Microsoft security partners help political and
2 Candidates should have the ability to verify the
elections customers respond to and recover from
authenticity of content originating from their
active cyber incidents via our Election Security
campaigns and have access to procedural or
Advisors program.39 In early 2024, we launched a site
legal mechanisms to address instances where
where certified candidates in any national or federal
their likeness or content is manipulated by AI to
election can directly report deceptive AI election
mislead the public during elections.
content on Microsoft’s platforms.
3 Political campaigns should have the resources to
Collaboration. We collaborate with public
safeguard against cyber threats and effectively
and private stakeholders globally who share a
utilize AI, with access to affordable, easily
similar goal of protecting the electoral process.
deployable tools, training, and support.
This includes local elections officials and elections
4 Election authorities should be able to ensure commissions, working across the tech sector
a secure and resilient election process and on initiatives like the Tech Accord to Combat
have access to tools and services that enable Deceptive Use of AI in 2024 Elections,40 and with
this process. government agencies or law enforcement bodies
when appropriate.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 80

How Microsoft helps support democratic elections continued Introduction Strategic cybersecurity Supporting the ecosystem Collective action

Microsoft is also helping protect the online Protecting data Boosting public awareness of AI elections risk
environment surrounding elections by: Protecting elections-focused employees and official These are some ways we contribute to educating the Links
Defending the information environment systems, including combatting phishing lures using public on the potential misuse of AI in elections and Microsoft’s efforts to enhance the security of
elections-related themes promoting transparency in AI-generated content. Indian elections | Jun 2024
Identifying disinformation campaigns propagated by
nation-state actors and collaborating to mitigate the ▪ Advanced security and productivity tools for ▪ Societal Resilience grants with OpenAI: $2 million Microsoft and OpenAI launch Societal
potential risks of deepfakes. political campaigns.43 in grants to enhance AI education and literacy Resilience Fund | May 2024
▪ Advanced support for customers running among voters and vulnerable communities.47
▪ Tech Accord: A cross-sector coalition to combat Combatting abusive AI-generated content: a
deceptive uses of AI in elections.41 elections-critical workloads in Azure, like voter ▪ Content Credentials: Implementation of
comprehensive approach | Feb 2024
registration or results reporting systems.44 authenticity markers on AI-generated and
▪ Public election influence operations reports:
authentic images and video to help the public AI Elections accord - To Combat Deceptive Use
The Microsoft Threat Analysis Center releases Identifying and responding to threats
discern if media has been created or edited of AI in 2024 Elections | Feb 2024
timely public reports about cyber and influence Utilizing our significant threat intelligence capabilities by AI.48 Microsoft announces new steps to help protect
threats.42 to identify threats and identify mitigations.
▪ Security and deepfake trainings for political elections - Microsoft on the Issues | Nov 2023
▪ Advanced threat detection and notification stakeholders: Ahead of major elections, Microsoft
against nation-state attacks for high-risk elections Combatting the deceptive use of AI in elections –
provides cybersecurity hygiene and deepfake
customers available in 35 countries.45 Middle East & Africa News Center (microsoft.com)
response trainings to political organizations.
▪ Election security advisors providing expert ▪ Public awareness campaigns: Launch of several
consultation for proactive cybersecurity audits, public awareness campaigns in the EU, US, and
threat hunting, or remediating cyber incidents.46 globally, to ensure voters are aware of the risks
of deepfakes and to guide users to authoritative
election information sources.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 81

How Microsoft helps support democratic elections continued Introduction Strategic cybersecurity Supporting the ecosystem Collective action

Cyber Point of View: UK

A continuously improving Manufacturers can use the principles to determine
security partnership which security mitigations can be designed and
built into their products by default, and, in parallel,
Microsoft and the UK’s National Cyber Security
organizations can use the same principles as
Centre (NCSC) have been in partnership for over
a framework to assist in the procurement and
20 years. From securing user devices to covering
validation of secure, enterprise-connected devices.
the UK Government’s broader cloud ecosystem, we
are building a secure foundation to protect from Not only does this reduce the complexity of the
the most common cyberattacks. procurement process, it increases the speed
of deployment.
Together, they have developed the “Secure
Configuration Blueprint” to help government The ultimate goal of this partnership is to enhance
departments configure Microsoft 365 in a way the security posture of public and private sector
that helps meet their statutory obligations. organizations in the UK, ensuring data protection,
The blueprint leverages the service’s inbuilt effective collaboration, and reliable services.
features and capabilities to lower residual risk. It is
the leading practice published by the NCSC and
Microsoft, drawing on extensive experience across Links
the UK Government and industry. Updated Microsoft 365 security and
compliance guidance for the UK public sector -
Additionally, secure configuration practices have
Microsoft Industry Blogs | Feb 2024
been extended beyond the UK Government to
include principles for manufacturers of enterprise- National Cyber Security Centre - NCSC.GOV.UK
connected devices and networking equipment.
Device security principles for manufacturers -
NSC.GOV.UK | May 2022
Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 82

Chapter 3 Key developments 83

Early insights: Introduction

Emerging threat landscape

84

87
AI’s impact on AI for defense 94

cybersecurity Advancing global AI security 101

What do we know about

new AI challenges and
solutions today?
Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 83

Introduction Emerging threat landscape AI for defense Advancing global AI security

AI-enabled human targeting -

Nation-state threat actors are AI for defense
These threats will be more using AI for influence operations Defenders are using
Key developments difficult to detect and defend
against—even with AI tools
AI-generated images and AI to become more
efficient, especially in
audio manipulations are
Early insights: AI’s impact assisting defensive strategies. being used to shape audience security operations.

on cybersecurity Find out more on p89. perception and engagement in

conspiratorial narratives.
Find out more on p94.

AI is reshaping the landscape of cybersecurity, Find out more on p91.

arming defenders with powerful tools to
preempt and counteract evolving threats
with unprecedented precision. As we explore Emerging threat actor
this transformative era, we are met with techniques
both promising advancements and daunting AI-enabled spear phishing,
—
challenges—from -
sophisticated AI-powered résumé swarming, and
Limiting foreign influence Staying a step ahead
targeting to complex influence operations deepfakes emerge. operations in the modern era of threat actors in the
-
orchestrated by nation-state threat actors. Existing limitations of foreign age of AI
Find out more on p90.
influence operations under Policy principles can mitigate
As ever, information is power. The more
international law are no longer risks associated with use of
knowledge and understanding an organization sufficient in the modern era. AI tools.
has of the emerging threats, the better it can
Find out more on p93. Find out more on p106.
prepare. In this chapter we explore how AI is
changing everything from enhancing detection
capabilities and operations efficiencies, to Governments and industries working
customized mitigations. At the same time, to advance global AI security
governments and industry are collaborating, and
While there is a consensus on the
using a variety of approaches, to advance global
importance of security in the development
cybersecurity initiatives in the AI era.
of AI, governments have pursued
different approaches in implementing
security requirements.
Find out more on p101.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 84

Introduction Emerging threat landscape AI for defense Advancing global AI security

Introduction: AI’s impact on cybersecurity

We are at the start of what could Organizations of all sizes around the world are facing Not only can this significantly reduce the time to The deployment and utilization of AI and agents
become one of the most transformative the same challenges: infinite amounts of data to identify, investigate, and respond to an incident from will be vital, especially with threat actors becoming
manage, more endpoints to secure, and a shortage days to minutes, but this AI-driven threat analysis more sophisticated in their tactics every day.
technological eras in modern history.
of talent to operate security environments that are provides the opportunity for security teams to learn But as history has shown, technology can have
Much has been said and written about becoming more complex every day. Cybersecurity is and train in real-time, helping to reduce the skills the ability to elevate our human potential, and
how AI can have a significant effect on a top priority for businesses of all sizes, but at the gap and freeing up experienced analysts to focus on through innovation, collaboration and responsible
every industry, but the impact it can have same time, cybersecurity is an infinite game that has more important tasks. use of generative AI and agents, defenders will
on how businesses secure their most no winner and no end. Defenders must constantly
Today, the industry has taken the first steps to add
be positioned to take on cybersecurity’s toughest
important data and assets in the face be vigilant as the landscape becomes more intricate. challenges and work toward making the world safer
assistive agency into products, and more autonomy
With threat actor adoption of AI, the economics and for all.
of ever-increasing cybersecurity threats will be created over time, enabling agents to
sophistication of attacks are changing rapidly, and
will be one of the most critical uses of perform tasks, monitor, and take action proactively Shawn Bice
with that, the sophistication of how we must defend.
this technology. and in collaboration with security teams. AI agents Corporate Vice President,
Generative AI is ushering in a new era of will use language models in incredible ways to get Cloud Ecosystem Security
cybersecurity that can put defenders one step ahead much closer to the way security analysts operate in
of threat actors. The adoption of large language reasoning, decision making, and task completion.
models (LLMs) tailored for security operation Not only will we see security teams supported by
scenarios will see a shift from humans having to write these agents, but we will also see agents working
manual automation of repetitive tasks to AI systems together to investigate and resolve incidents.
capable of detecting and investigating security Agents will respond to events when activated or
threats at the skill level of security professionals. given permission by an analyst, and Microsoft sees
AI can help develop a thorough understanding of a a world where soon AI agents will potentially reason,
security incident and how to respond in a fraction of make mistakes, learn from mistakes, and work
the time it would take a person to manually process together like a team of experts.
a multitude of alerts, malicious code files, and
corresponding impact analysis.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 85

Introduction Emerging threat landscape AI for defense Advancing global AI security

Understanding how How they work: First-generation generative AI

applications were just bare language models for How Copilots work
generative AI systems work which users carefully crafted inputs (“prompts”) to USER
receive outputs. Because they were creative tools, REQUEST
Generative AI is one of the most impactful they were very prone to hallucination and required
technological shifts of the past several decades. careful prompting for effective use. Second-
LLM: Pretend you’re a subject-
Its tremendous range of applications could put it generation applications, widespread today, are matter expert, can do the
not only into thousands of existing systems and following things, and were
more complex, with many skills. Some of these just asked to create a plan
business processes, but into a range of entirely skills are ordinary functions written in normal
new processes. programming languages; these might look up data
or call another system to perform some action. LLM: Think Extract the key Write an answer
However, a rapidly changing world likewise creates Look up some data
of relevant points from based on OUTPUT
in SharePoint
opportunities for threat actors, who can often adapt Like any function, they require very specific inputs. search queries each document these points

to changes faster than defenders. To protect against Such skills are natural points for controls since they
this, it’s important to understand how generative AI are the only way the AI system can access outside
Relevant
works and how to apply the techniques of safety and data. Other skills call the model—for example, to documents

security to it. summarize or analyze data, create content (such

as by roleplaying a writer or programmer) or to
Predictive vs. generative AI: In traditional Such systems have natural safety intervention For example, a question-answering system might
improve data by roleplaying an editor. Those skills
predictive AI, people build individualized models points. Metaprompts are the step that tell the model first use a filter to see if it’s being asked something
work by fusing user inputs, additional data fetched
using their own data. Since they have control over about the character it’s roleplaying, things it should inappropriate or outside its expertise. If not, it role-
by other skills, and their own data to create a
the process, they try to build controls things like avoid, and so on, and are a key place for defense. plays a subject-matter expert to figure out searches
prompt, automating what people did by hand in the
fairness, training data leakage, and data poisoning. “Editor” steps are a kind of metacognition, where a it should run; then again as a subject-matter expert
first generation. Skills are then called by a central
Predictive AI is good at analyzing large fields of second AI looks at the outputs of the first to see if evaluates the credibility of each page and extracts
function that defines the AI system; this might either
data, classifying, predicting, and recommending. its statements are grounded in its known list of facts, its key ideas; then role-playing a writer, it combines
be an ordinary function, running known steps in
Generative AI, on the other hand, is best understood if they are aligned with its compliance or strategic these to form an answer to the original question.
turn, or an AI function that roleplays a subject-
as a different technology – one where general- goals, and so on. Filters pre- or post-process data Finally, as an editor, it checks to see if every part of
matter expert and asks it to come up with a plan
purpose models are shared by millions of users and using ordinary software, predictive AI, or generative its response is appropriately grounded and if any key
using those known skills.
have no special data access. Generative AI models AI to catch suspicious situations and handle points were missed.
are good at summarizing or analyzing natural them differently.
Future generative AI systems (“agents”) are likely to
language data and role-playing characters like add capabilities like memory (learning as they work
“customer service rep” or “math teacher.” with you), operation over longer timescales than a
single conversation, and more autonomy, reacting to
events other than user inputs.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 86

Introduction Emerging threat landscape AI for defense Advancing global AI security

Two key insights Then, using a test framework, these lists can be
run against the system in bulk, with generative
Fortunately, it is possible to secure systems with
nondeterministic components; we call those
those qualities manually. That means, for example,
telling the system it is an experienced newspaper
As we’ve developed a large range of generative AI AI once again helping efficiently evaluate the components “people.” Microsoft has found that editor or computer hacker lets it do meaningful edits
systems, we’ve found some important insights about outputs for correctness. These tests can re-run asking “How would you secure this if it were a and safety checks from those perspectives.
the process. whenever the system is updated, much like ordinary person?” scales very effectively to generative AI.
integration tests. Where an organization would vet a person, they
1. Building is easy; testing is hard should test a system thoroughly and adversarially.
2. Generative AI security is Where it would train a person, it should adjust
Generative AI changes the traditional relationship
nondeterministic metaprompts and filters so that they behave Links
between development and testing investment.
In traditional software, 90% of the work goes into Generative AI systems are software, and traditional correctly. Where it would have multiple eyes check Responsible AI Transparency Report | Microsoft
writing software that will function. With generative software security remains important. In addition and approve sensitive decisions, organizations
AI Content Safety | AI Content Moderation
AI, writing a system is much easier, with significant to that, however, generative AI systems face risks should do the same—both by having one AI look
features being “quick projects” rather than multi- from anomalous natural-language (or media) over the results of another (metacognition) and PyRIT: Python Risk Identification Tool
month investments. However, that AI system will inputs. These are nondeterministic, especially in that involving humans in the process.
AI Red Ream Guidance | Microsoft Learn
work correctly only in the handful of cases that the variations in language or phrasing can profoundly
A surprising fact that makes metacognition more
change behavior. In fact, most “jailbreak” attacks can AI jailbreaks: What they are and how they can
developers imagined as they worked; the majority of effective is that since generative AI is trained on
be summarized as “social engineering works against be mitigated | Jun-2024
the work will be in testing and tuning as the system human language, a brief summary of a character it
is evaluated on uncommon inputs, adversarial generative AI.” The resulting vulnerabilities can’t be The HAX Toolkit Project - Microsoft Research
is meant to roleplay allows it to infer broad aspects
inputs, or even just inputs from users who think deterministically patched, even in theory.
of that personality without the user having to specify
differently from the developers.
As a system is built, it’s important to make a list of
the ways in which the system could potentially go
These attacks are different Map human ideas to generative AI safety
wrong and develop a large test suite of example
They’re nondeterministic: For a person, you might... For a Copilot, you might...
inputs that may trigger those outcomes. Likewise,
▪ Saying the same thing twice won’t have ▪ Vet them ▪ Test the system thoroughly
there should be lists of intended and “uncommon”
the same effect ▪ Train them and adversarially
inputs as well. Team diversity is key at this stage, ▪ Adjust metaprompts so they behave right
▪ Slight changes in phrasing may change ▪ Monitor them
since without it the team can’t adequately imagine the outcome ▪ Monitor them
▪ Have multiple eyes check and approve
how real-world use will look and will miss critical sensitive decisions ▪ Have multiple AIs look at a problem
risks. Generative AI can itself amplify a team’s ability This means you can’t “patch” them the same way ▪ Build trust over time (metacognition)
in this space, turning individual examples into large you do traditional security vulnerabilities ▪ Have humans in the loop
multi-lingual lists. Integrate the Copilot into your business practices
like you would a new person—step-by-step.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 87

Introduction Emerging threat landscape AI for defense Advancing global AI security

Emerging threat landscape

The AI landscape is changing System threats ▪ Forced, when the user is physically unable
tremendously quickly, and any analysis to check the output (for example, vision In the coming year,
The key system threats Microsoft has seen
augmentation for the blind, or systems that
will therefore inevitably be out of date are system compromise, overreliance, and we anticipate the biggest
create apps for non-programmers).
by the time it is published. While details content exposure.
▪ Motivated, when a user offers “the AI said so”
rises in automated fraud
of any summary will quickly become ▪ System compromise: The key threat here is and election interference,
as an excuse to do what they already wanted.
obsolete, its principles may prove useful cross-prompt injection attacks (XPIA, also known
CSAM and NCII production,
as indirect prompt injection), where the system ▪ Content exposure: A threat exists when
for much longer. and the use of XPIA and
is processing data under the control of a third operators are exposed to content such as hate
party (for example, email messages or Word speech, violence, radicalization or child sexual deepfake impersonation
The generative AI documents). Attackers insert malicious payloads abuse material (CSAM) that is directly harmful to as cyberattack and
threat landscape to exploit vulnerabilities in the way the system
combines inputs to form LLM prompts to do things
them. Fortunately, this threat can be defended
against with filters and metaprompts, such as with
fraud channels.
such as run commands with a victim’s credentials, Azure AI Content Safety.
When discussing AI threats, a first division is
between system threats—issues like security take over systems, and/or exfiltrate data. ▪ Infrastructure compromise: Traditional
vulnerabilities, where securing one system effectively ▪ Overreliance: Users tend to overrate the cybersecurity threats against the underlying
mitigates the risk—and ecosystem threats, where reliability of AI output. The best mitigations for storage, network, computing, and supply chain
attackers can choose the most vulnerable system these threats are often in the user experience continue to be significant.
with which to achieve their goals. (UX) or business practice. Overreliance comes in
four forms:

▪ Naive, where users aren’t aware of the

limitations of the AI.
▪ Rushed, when a lack of time or confirmation
blindness means users don’t check outputs.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 88

The generative AI threat landscape continued Introduction Emerging threat landscape AI for defense Advancing global AI security

Ecosystem threats ▪ Direct social attacks: Malicious activities such

as scams, phishing, propaganda, and terrorist
Ecosystem threats often require defense outside the
recruitment can be automated using generative
AI system.
AI and operated at far larger scales than before.
▪ Impersonation: Use of image, audio, and The cyber intelligence community anticipates
video deepfakes to impersonate individuals. a large rise in all of these categories, driven by
Specific threats include fraud, blackmail, AI enablement. Defenses against them may
coercion, defamation, and information warfare. focus on providing AI support to the recipient
Defense against this threat includes moving and interdicting payloads at the communication
communication to authenticated channels. system level.
▪ Content production: Creation of harmful content ▪ Indirect social attacks: Automated harassment
for dissemination such as CSAM, non-consensual and defamation are very difficult to counter.
intimate images, disinformation, child grooming Because someone can be harassed by targeting
scripts, or spam. Threats in this category are their friends, colleagues, and the public, a defense
diverse and are typically amplifications of existing strategy for this threat type is not yet clear.
threats, sometimes on a large scale.
As defenders, particularly governments, are
▪ Nefarious knowledge acquisition: Acquisition
considering the threats associated with the abuse
of information that helps threat actors upgrade
of AI, it is important to keep in mind that many
their skills, such as how to make drugs or
of the future victims will not have the benefit of
biological weapons. This threat has not emerged
automated systems and programs to defend them.
at scale and is being actively researched by the
Many ecosystem threats will have an immediate
security community.
impact on the most vulnerable targets—humans.
▪ Cyber threat amplification: Automated As difficult as it currently is to stop multi-billion-
generation of malware, and, more importantly, dollar frauds against vulnerable groups like the
attack command and control infrastructure, elderly, AI’s impersonation capabilities will make it
which could give lower-tier threat actors access even harder for victims to identify and resist fraud.
to persistent attack capabilities previously limited
In the coming year, we anticipate the biggest rises
to advanced actors. There is significant risk that
in automated fraud and election interference,
attackers will develop AI techniques faster than
CSAM and non-consensual intimate image (NCII)
defenders adopt AI-powered defense systems,
production, and the use of XPIA and deepfake
and attackers will take advantage of that gap until
impersonation as cyberattack and fraud channels.
the defenders catch up.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 89

Introduction Emerging threat landscape AI for defense Advancing global AI security

Sophisticated AI-enabled We expect two diverging trends pertaining to

AI-enabled cyber-threat actors and defenders.
human targeting Whichever party masters AI faster will have a
near-term advantage. However, when it comes to
Behind every bot is a real person. As AI is AI-enabled human targeting, threats will be more
increasingly used to help people get more efficient, difficult to detect and defend against—even with AI
threat actors are learning that they can use the tools assisting defensive strategies.
same AI efficiencies as a force multiplier in their
targeting efforts. The defensive advantage
The defensive advantage against AI-enabled cyber
Targeting high-value individuals threats comes in the form of defenders’ ability
Threat actors target high-value individuals at to deploy AI into defensive tools and systems.
organizations because they have access to trade If organizations are early adopters of AI tools, they
secrets, financial systems, key strategies, and other can use ML to rapidly ingest and infer evolving
sensitive and proprietary intellectual property. tactics, techniques, and procedures (TTPs), thus
Because AI is very capable of performing most of detecting and preventing malware and malicious For example, a threat team that previously relied on The impact of AI in attacks is already being felt in
the time-consuming research needed to identify code. Hesitance to incorporate AI into defensive manual operations to identify targets, research them, the wider cybersecurity community. Tools in the
lucrative targets, it frees the actors up to conduct strategies on the other hand, will open a window develop a social engineering approach, and execute multi-factor authentication toolbox are becoming
other activities. This emerging threat landscape of of opportunity for threat actors to exploit gaps it can assign roughly 90% of this work to AI, freeing vulnerable, and AI has demonstrated it can defeat
AI-enabled targeting is also aided by the machine they identify with AI tools. This means the early AI up human resources to perform more nuanced tasks CAPTCHA,49 which was specifically designed to
learning (ML) aspect of AI. This is because bots adopters will enjoy a near-term advantage afforded AI is not yet effective at performing. stop bots. The use of AI will expand the threat
can rapidly learn from the sum total of human by the nimbleness of AI. landscape by making bots harder to detect, more
Since AI can perform these labor-intensive tasks
knowledge documented on the internet. pervasive, and more adaptable due to increasingly
The offensive advantage far more rapidly than a human, it also reduces
sophisticated ML capabilities.
the time to target. This operational efficiency is
The offensive advantage of AI-enabled human
complemented by the fact that AI won’t make, for With the Internet of Things (IoT) market growing at
targeting comes from AI’s ability to:
example, spelling and grammar errors that humans 42% per year,50 we also expect pervasive targeting
1 Rapidly perform functions that previously took make in phishing communications. of personal and home-use products. Overall, the
humans months or even years. democratization of AI will enable unsophisticated
2 Avoid hallmark mistakes humans make in their threat actors to become more capable and
targeting operations. effective without having to become more
technically proficient.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 90

Introduction Emerging threat landscape AI for defense Advancing global AI security

Emerging techniques “Résumé swarming” and steganography Deepfakes and other variations
on social engineering
Even knowing the artifacts are fake, many
victims may choose to comply simply to avoid
Threat actors can use AI to scrape keywords and
in AI enabled attacks qualifications from job postings and develop Using AI’s capability to rapidly conduct expansive embarrassment or potential negative perceptions.
“perfect” candidates in the virtual world. research, threat actors can discover massive A strong mitigation strategy will seek to reduce the
While some TTPs are in their infancy and little amounts of information about targeted individuals
AI can then generate hundreds or thousands of threat landscape through predictive and preventative
more than proof of concept, others are already and programs.
variations of highly qualified—but imaginary— activities. Incorporating AI into risk mitigation
being widely used.
candidates’ résumés to apply for open positions at This means they can then develop highly tailored activities means defenders can evolve at the same
This section discusses some of the TTPs threat actors unsuspecting companies. social media profiles with which to contact thought or a greater rate as threat actors. As discussed in the
are currently using and evolving for use against their leaders, subject-matter experts, and other high value data security section of this report, discovering and
These résumés can even use steganography
targets in the social engineering phase of attacks. targets for social engineering. Further enhancing this prioritizing data assets is foundational. Threat actors
techniques to embed invisible information to
We expect threat actors to rapidly evolve and deploy false persona technique, AI-enabled deepfake tools rely on disorganization, poor communication, lack
increase their chances of passing automated
these TTPs in the near term, and the variations will can also be used to create fake social media profiles of consensus, and unwillingness to invest in non-
screening tools, getting the applicant selected for
continue to evolve and expand. impersonating people known to the target. revenue generating activities within organizations.
interviews and ultimately hired. Threat actors can
use this technique in their attempts to emplace We therefore recommend mapping identified gaps
AI-enabled spear phishing and whaling Threat actors can establish the impersonating
insiders within an organization to steal trade to key stakeholders responsible for managing the
AI is evolving spear phishing and whaling by persona’s bona fides by using video teleconferencing
secrets, intelligence, or other sensitive information. associated mitigation strategy. Lastly, one of the
coupling AI with malware, creating a tool that lies or phone calls to deploy real-time deepfake contact
In another variation of this technique, threat actors best mitigation strategies is robust training and
dormant until it identifies its intended target and with voice and video synthesis. Or, using AI bots,
may create a limited number of ideal candidates awareness campaigns.
deploys. Threat actors can focus their attacks on threat actors can automate a substantial portion of
alongside a swarm of AI-generated unqualified communication before actual human interaction
highly specific targets and hone-in on exfiltrating
résumés to break screening processes. is required. All these AI-assisted approaches act Actionable Insights
only the most useful information. Without users
knowing, the AI uses device cameras, speakers, as a force multiplier that can help threat actors
This text visible “Key words” are
simultaneously approach a virtually unlimited
1 Report criminal and suspicious activity
and GPS for target verification. By the time it is visible only to
to the human eye to the appropriate law enforcement
discovered, the malware has already exfiltrated the screening systems number of potential targets to identify the most
viable targets for further development. organization in your region.
target information.
Résumé example Résumé example 2 Reporting suspicious activity, whether or
With the increasing sophistication and quality of
example text key word | key word not you fall victim to it, enables defenders
deepfakes, we anticipate that it is highly likely that
example text example text to better understand the threat, identify
criminals will also use this TTP for fraud, identity
example text example text
what’s being targeted, take action to protect
theft, blackmail, and extortion. Nearly flawless
those targets, and educate the population
Links example text key word | key word deepfake video with audio can generate extremely
about protecting against those threats.
convincing (fake) evidence to compel and coerce
Digital Safety | Report a concern
victims to comply with criminals’ demands.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 91

Introduction Emerging threat landscape AI for defense Advancing global AI security

Nation-state threat actors Adversarial use of AI in influence operations

More recently, the actor attempted to fan the
flames of discord around the Israel-Hamas war
using AI for influence by circulating photorealistic AI-generated images
Capability China Russia Iran & proxies
operations of purported protests, as Israel-Palestine related
university campus protests surged across the United
Text MEDIUM / LOW MEDIUM / LOW LOW
States in late April to May 2024.
Nation-state threat actor groups, such as those
Image HIGH HIGH MEDIUM / LOW
backed by Russia, Iran, and China, are increasingly
incorporating AI-generated or enhanced content Audio/video HIGH HIGH LOW

into their influence operations in search of greater Example May 2024: June 2024: April 2024:
productivity, efficiency, and audience engagement. Bespoke Taizi Flood AI-generated audio Likely AI-generated video
AI-generated cartoon of Elon Musk narrating leading up to Iranian
We assess this content has had a limited effect on fabricated documentary military operation
the impact of nation-state influence operations thus
far, but if integrated into otherwise creative and
multifaceted influence operations, AI may prove
to offer a significant capability in reaching and
engaging audiences in the future.

China-affiliated influence actors Taizi Flood is the most prolific threat actor in this
favor AI-generated imagery arena, using third-party AI technology, including
technology that generates virtual news anchors,
China-affiliated threat actors’ increasing use of AI
for its online campaigns. With influence operations
to enhance influence campaigns, especially those
spanning over 175 websites and 58 languages, Taizi
targeting elections around the world, distinguishes
Flood has continuously mounted reactive messaging
them from other nation-states using AI.
campaigns around high-profile geopolitical events,
In the past year, Microsoft observed China- with a focus on portraying the United States in an
linked threat actors utilizing various generative unfavorable light and furthering Beijing’s interests
AI technologies to create sleek, compelling visual in the Asia-Pacific region. During the Maui, Hawaii
narratives. Microsoft uncovered a series of AI- wildfires in August 2023, the actor used AI-
generated memes aimed at the United States that generated images of burning coastal roads and
emphasized domestic discord and criticized the residences to augment the conspiratorial narratives Taizi Flood’s “photorealistic” AI-
Biden administration. about US Government complicity it spread across generated images intended to portray
protests at a named US university.
social media platforms.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 92

Nation-state threat actors using AI for influence operations continued Introduction Emerging threat landscape AI for defense Advancing global AI security

Russia-affiliated influence actors using In February 2024, pro-Russian social media accounts Russia also used a malicious application of AI in Iran-affiliated influence actors are
audio-focused AI across mediums circulated a fabricated video, falsely claiming influence operations surrounding the 2024 Paris in the early stages of AI integration
that Ukrainian authorities planned to assassinate Summer Olympics. In mid-2023, Microsoft identified
Russia-affiliated threat actors often adopt a In contrast to actors supporting Russia and China,
French President Emmanuel Macron. While the a fake documentary titled “Olympics Has Fallen”
more nuanced strategy in their AI tactics, though pro-Iran groups have so far employed AI more
visual component of the video appeared to be disseminated by Russian-affiliated influence actor
the effectiveness of their campaigns has had sparingly. Nevertheless, they are gradually increasing
from an authentic France24 broadcast, the audio Storm-1679 on Telegram.
mixed results. use of AI-generated or enhanced images and videos
component was AI-generated.52 The video gained
The video featured AI-generated audio that as key components of their messaging campaigns,
For example, they create fully synthetic deepfake traction online and former Russian President Dimitry
mimicked the voice of American actor Tom Cruise particularly against Israel.
videos of prominent political figures but the videos Medvedev later repeated the false narrative in a
criticizing the International Olympic Committee
struggle to gain significant online engagement post to X, without explicitly referencing the video We observed Cotton Sandstorm disrupting
and its leadership. This was Storm-1679’s first use of
because they are quickly exposed as fake. itself.53 Although attribution is unclear in both the streaming television services in the UAE and
AI-enhanced content for influence efforts. In June
Slovak and French examples, the targets, narratives, elsewhere in December 2023 under the guise of
Audio manipulations have proven more influential 2024, the actor launched a sequel, “Olympics Has
themes and tactics are consistent with pro-Russia a persona called “For Humanity.” For Humanity
in shaping audience perception. Two days before Fallen II,” this time featuring AI-generated audio
influence activities. published videos on Telegram showing the group
Slovakia’s 2023 election—a tight race between pro- impersonating businessman Elon Musk. For both
hacking into three online streaming services
Western and pro-Kremlin parties—AI-generated videos, Storm-1679 appears to have allocated
and replacing several news channels with a fake
audio of the pro-Western party leader discussing significant time and resources. This ongoing
transmission featuring a likely AI-generated anchor
how to rig the election appeared online.51 The initiative reflects a persistent effort to target Western
that claimed to show images of Palestinians injured
incident represented a test case of how vulnerable audience information spaces where this actor
and killed by Israeli military operations.
elections around the world could be to the malicious has traditionally struggled to effectively amplify
use of AI by nation-state threat actors. its content. News outlets and viewers in the UAE, Canada, and
the UK reported disruptions in streaming television
programming, including BBC, that matched For
Humanity’s claims.54 In April 2024, amid Iran’s
airstrikes on Israel, a new Iranian cyber persona,
“Montaghemoun,” posted threatening messages in
Hebrew, English, and Farsi that included videos and
images that were likely created with AI.55
A still image from the fabricated video. The footage
features a well-known French news anchor with likely
AI-generated audio of his voice. The overlaid title
graphics were digitally manipulated. The earliest
observed instances of the video included Russian
subtitles, as demonstrated here.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 93

Nation-state threat actors using AI for influence operations continued Introduction Emerging threat landscape AI for defense Advancing global AI security

Limiting foreign influence operations in However, existing limitations of foreign influence Microsoft recommends that states embrace the Limits on tools and techniques
the modern era operations under international law are no longer following limitations on foreign influence operations: ▪ Covert use of AI: States should not secretly
sufficient in the modern era. The emergence of social create or knowingly use synthetic audio, images
Influence operations have been used throughout Limits on targets
media and the advancements in generative AI have or video content generated by AI, to covertly
history by both state and non-state actors to
significantly changed the landscape. Therefore, it is ▪ Crisis/emergency scenarios: In an emergency
shape public opinion and achieve strategic mislead or coerce citizens of other countries.
imperative to reassess the impact and boundaries or crisis – including wildfires, floods, extreme
goals. Because they are recognized tools of soft ▪ Theft/abuse of social media data: States
of these activities. Similar to the norms established weather events, and chemical/radiation spills
power, there are established boundaries for such should refrain from stealing or misusing data
by the United Nations to restrict state-sponsored – foreign influence operations should not seek
activity under international law. The principle of on foreign citizens held by private companies
cyberattacks, there should be comparable norms to manipulate civilians with respect to the crisis.
nonintervention, for example, safeguards national for the purpose of developing covert influence
to regulate foreign influence operations in the When lives are at stake, reliable information is
autonomy and, in certain cases, prohibits direct operations targeting a foreign populace.
online space. critical for safety.
interference in the external and internal affairs of
sovereign states. Activity which covertly manipulates ▪ Emergency/humanitarian response
the economic or political systems of another country, organizations: Undermining public trust in
for example, could cross that line. organizations involved in humanitarian or
emergency response missions is unacceptable.
Governments deliberately spreading or
promoting misleading information about medical Links
First Responders or humanitarian assistance
Protecting the public from abusive AI-
efforts abroad should equally be prohibited.
generated content | Jul 2024
▪ Elections: Covert interference in elections via
AI jailbreaks: What they are and how they can
foreign influence operations online must be
be mitigated | Jun 2024
prohibited. Such a commitment was already
included in the 2018 Paris Call for Trust and How Russia is trying to disrupt the 2024 Paris
Security in Cyberspace, which has the support of Olympic Games | Jun 2024
80 national governments from around the world.
Russian US election interference targets
▪ Vulnerable/marginalized communities: support for Ukraine | Apr 2024
States should refrain from foreign influence
campaigns that advocate national, racial or China tests US voter fault lines and ramps AI
religious hatred or which incite violence against content to boost its interests | Apr 2024
protected groups, including racial and ethnic Staying ahead of threat actors in the age of AI |
Montaghemoun” (meaning Avengers in Arabic), posted threatening messages in Hebrew, English, and Farsi across its
social media accounts in the days leading up to the Iranian attack’s against Israel, including posting multiple threatening minorities and LGBTQ+ populations. Microsoft Security Blog | Feb 2024
videos and images Microsoft assesses were created with AI.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 94

Introduction Emerging threat landscape AI for defense Advancing global AI security

AI for defense

Microsoft’s significant investment in Currently, cybersecurity teams operate at their limits,

AI innovation is aimed at providing facing staffing constraints, escalating regulatory “AI holds the potential to be as much of a
compliance demands, and an ever-growing
cybersecurity defenders with an transformative technological revolution for
number of increasingly sophisticated adversaries.
asymmetric advantage over attackers However, the introduction of AI will change this human beings as things like electricity or modern
in the realm of defense. workload, offering various benefits to both attackers computing, if not possibly more so; a tool that
and defenders. opens up benefits across the board, transforming
In our efforts, we prioritize cutting-edge research
and the development of groundbreaking solutions
For defenders, the “automated ingenuity” of zero-sum problems into non-zero-sum
generative AI can now be applied across the entire opportunities and creating massive net long-term
like Copilot for Security. These solutions amplify
defense chain, from initial detection of anomalies
defenders’ efforts by optimizing resources and
to prompt triage and response. Beyond merely
gains for humanity.
scaling cybersecurity endeavors. This is particularly
enhancing existing security operations centers
crucial considering the significant shortage of skilled
(SOC), AI holds the potential to introduce entirely But, as we’ve seen repeatedly throughout the
cybersecurity workers, which poses one of the
biggest challenges in the field of cybersecurity.
new methods of defense. For instance, it enables course of history, when in the wrong hands, any
persistent systems that constantly monitor for sufficiently new and powerful tool that people are
vulnerabilities and promptly address any breaches.
given can be used by those people to cause harm.
Additionally, AI streamlines the sharing of
information among defenders, transforming it from
The good news is that these same AI tools, when
a labor-intensive manual process into a continuous, paired with creativity, innovation and diligence,
automated one. can put those of us on the side of defense and
security ahead of disruptive threat actors, and allow
everyone a chance to fully realize the tremendous
benefits that AI can bring.”
Kevin Scott, Chief Technology Officer
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 95

Introduction Emerging threat landscape AI for defense Advancing global AI security

Harnessing AI to detect Disrupting attacks by combining endpoint

detection and response with AI
cyberattacks Our AI models are integrated with MDE, a cloud-
based security solution that provides comprehensive
Our researchers are developing a novel AI
protection for endpoints. MDE collects and
approach to detect and disrupt cyberattacks and
processes data from millions of devices and uses it
“endpoint stories.”
to generate endpoint stories. AI models are then
Endpoint stories are narratives of endpoint activities automatically invoked, and when a model detects
generated from data collected from physical devices a HOK attack, an alert is created in the MDE portal.
that connect to a network system. These include Based on the AI decision, MDE can automatically56
mobile devices, desktop computers, virtual isolate an affected device, temporarily disable
machines, embedded devices and servers. The data compromised user accounts, and take additional
source for these stories is Microsoft Defender for actions to disrupt the attack. This way, MDE can
Endpoint (MDE). thwart the attack before it causes more harm.

Detecting hidden attacks with AI Extending AI across cybersecurity

Hands-on-keyboard (HOK) attacks, where Our approach is not only effective for detecting HOK
cybercriminals directly interact with compromised attacks, but also has wider implications for other
systems, are a major concern for enterprises. areas of cybersecurity. Leveraging the understanding
These attacks are hard to detect because attackers capabilities of LLMs, AI models such as ours can be
often use common administrative tools and used to analyze and find malicious activities using
techniques to blend in with legitimate activities, large and complex data sources such as network
and attackers are able to move through networks logs, email communications, web traffic, and social
in real-time and respond to what they find in the media. This can help us uncover hidden patterns,
environment. To detect these attacks, we use trends, and insights that can inform our security
LLMs that are fine-tuned to analyze endpoint story strategies and policies. We are also exploring the
narratives and identify anomalous or suspicious latest methods, such as leveraging the Phi family of
activities. These models can learn from the context models,57 to improve our AI models for detection of
and semantics of the stories and flag potential attacks and suspicious activities.
threats that might otherwise go unnoticed.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 96

Introduction Emerging threat landscape AI for defense Advancing global AI security

AI’s early impact on the security operations center (SOC)

Scale, efficiency, and speed are key components Microsoft has invested heavily in AI to help SOCs
affecting defenders’ ability to detect and respond to upskill and operate at speeds beyond human
incidents. On average, it takes 277 days to identify capability to tackle threat actors. In a 2023 study we
and contain a breach, with 207 days for identification found that novice users were able to perform 26%
and 70 days for containment.58 By leveraging AI, faster and were 44% more accurate across all tasks
defenders can significantly reduce this lag. when using Copilot for Security.

Source: Microsoft Copilot for Security

Examples that allows SOC analysts to quickly understand the

situation and identify human-operated ransomware
During advanced human-operated ransomware
targeting mission-critical devices and users, enabling
attacks, we have seen the time from initial pre-
swift and decisive action.
HOK (hands on keyboard) alert to the encryption
event averaging a mere 16 hours, underscoring To address the incident, the analyst must dive
the importance of operating fast to remediate the into indicators of compromise. Using AI, the
actor from the network. As mentioned, prioritizing analyst can instead assess an encoded command
incidents is a significant challenge that impacts time line run on a suspicious device from the incident.
to resolve/mitigate. AI security solutions provide What would have taken a junior analyst dozens
more than just a graphical representation of events; of minutes and several tools can now be achieved
Source: Microsoft Copilot for Security
they generate a comprehensive incident summary at machine-speed.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 97

Introduction Emerging threat landscape AI for defense Advancing global AI security

Seven areas of efficiencies 1 Triaging requests and tickets. Teams in a 2 Prioritizing work items. Keeping an
security organization receive large volumes organization secure and compliant involves AI is not only useful for first line
in Microsoft security of requests and tickets. Depending on the a constant stream of work items of varying
of defense operations, but its
operations complexity of the logic that determines how
these items are dispositioned, large language
importance and time-criticality. AI can assess
the priority of a given item based on how similar capability to transform behind-
AI has demonstrated significant benefits to models (LLMs) can speed up the triage process items were prioritized in the past. As with the the-scenes daily processes is
cybersecurity by enhancing threat detection, and increase the efficiency and effectiveness of previous use case, LLMs can use relevant policies, also significant and promising.
response, analysis, and prediction. AI can also responding teams. LLMs can use the specifics procedures, and other material to determine Modernizing these processes is
of a new request and, comparing them to how these priorities. Additionally, AI can ensure that
be used for various other tasks within a security
similar requests were dispositioned in the past, the prioritization criteria are up to date with the
essential for scaling up security
organization, which often involves processing large
volumes of unstructured data to gain insights, decide what to do. LLMs can additionally use ever-evolving compliance requirements where operations and making the best
answer questions, and make informed decisions. relevant policies, controls, and other material to hundreds of regulatory changes happen on a use of human expertise.
Microsoft is leveraging AI in seven key areas of inform these decisions. At Microsoft, one of our daily basis.
security operations. internal response teams receives on average 25 3 Knowledge gathering from diverse external One notable example is the use of
requests each week. This volume is expected to sources. Augmenting proprietary in-house AI for triaging requests, which is
double over the next six months. Without LLMs, datasets with online content (such as threat
initial triage of a request takes approximately saving at least 20 hours per week
intelligence and information on recent
three hours. The team developed an LLM vulnerabilities) enables an organization to make
per person on one of our internal
solution, which takes seconds to recommend better decisions. AI can scrape online content response teams.
response actions based on information provided and extract security-related information at scale.
in the requests and guidelines on when each At Microsoft, one of our internal teams identifies
action is appropriate. The LLMs can also and processes 50 articles per week. While this
generate follow-up questions if the information used to take two hours per article on average,
in the request is insufficient to recommend using AI, the team is now able to generate
an action. The use of LLMs in this scenario is concise reports from these articles in minutes.
estimated to save at least 20 hours per person,
per week.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 98

7 areas of efficiencies in Microsoft security operations continued Introduction Emerging threat landscape AI for defense Advancing global AI security

4 Knowledge retrieval. A large part of keeping 6 Learning from the past. Security operations
an organization secure depends on how constantly generate large volumes of diverse
well-informed its employees are on security artifacts (tickets, reports, playbooks). Looking at
policies, best practices, and the remediation the evolution of this data over time can provide
actions necessary for compliance. However, this valuable insights into themes, anomalies and
information is usually fragmented across multiple recurring issues. Much of this historical content
locations, forcing an employee to search for and is unstructured and impractical to manually sift
extrapolate it. LLMs can greatly improve this through. LLMs can ingest data pertaining to
experience and generate complete and accurate previous incidents, violations, remediations and
answers, even allowing the user to ask follow-up other events to uncover valuable learnings that
questions. If integrated with an organization’s help the organization get a comprehensive view
data on devices and services, the answers can be of past events. For example, analyzing historical
tailored to a specific situation. data from post-incident reviews can answer
5 Risk assessment. AI can assimilate information questions like: 1) What were the main themes
from diverse sources, whether proprietary or in past incidents? 2) For a given theme, did the
publicly available, to bear on the risk of a given associated incidents happen over a large span
entity, service, account, etc. AI can leverage of time (indicating an unaddressed root cause)
unstructured organizational knowledge and or did they happen and then stop (indicating
historical precedents to enrich the set of factors successful remediation)? 3) Have we historically
determining risk. seen anything similar to a new incident?
7 Reporting. As a security organization’s size
grows, so do reporting needs. AI can help
combine, consolidate, and distill artifacts such
as documents and slides into reports whose
content, level of detail, tone, and length can be
adjusted depending on the audience and the
report goal.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 99

Introduction Emerging threat landscape AI for defense Advancing global AI security

Using generative AI to Growth in complexity of MITRE

From categories to context A good example of the challenges organizations are
facing and how generative AI could help them is in
understand cyberattacks ATT&CK tactics and techniques
Generative AI allows defenders to use the narrative
context of the threat as a qualifier to defensive
“User Submitted Phish.” Security operations centers
struggle with a high volume of “user-submitted
and create tailored
Today’s challenges require a way to process alerts
precisely yet practically, without needing to define actions and remediation. Instead of classifying
phish,” alerts that are based on users reporting
and maintain differentiated treatment to hundreds an alert into a known set of categories, the
mitigations of types of attacks. differentiation is now built from all surrounding
emails they suspect of being phishing attempts.
An analyst’s attention is needed to determine if the
contextual information, with remediation dependent
As discussed throughout this report, the frequency April 202459 email is indeed malicious but due to the volume of
on the factual findings and not by abstraction into a
and severity of cyberattacks have increased 14 tactics alerts —which can total hundreds or even thousands
202 techniques bucket (categorization).
significantly in recent years. Addressing large of emails in a month—some companies use a
435 sub-techniques
volumes of attacks requires automation engines 148 groups
The technical difference is in moving from service to prequalify the user-submitted phish report
beyond the current rules-based approach. 677 pieces of software classification, which is a methodology that abstracts before an analyst investigation.
May 2015 28 campaigns similar attacks, to a high-dimensional proximity
But volume isn’t the only thing changing. The decision whether an email is malicious is not
9 tactics 43 mitigations
engine, where the remediation is the statistically
There is also a huge growth in the types and 96 techniques 37 data sources easily discerned since many factors come into
best next step. The outcome of this method is very
complexity of attacks. Microsoft Defender for play, with variability in what makes it a phishing
specific to the collection of all entities and facts of
Endpoint has seen a significant increase in the Source: MITRE attempt. Since it is not easy to categorize an email
the event. This means all the nuances of an event are
number of indicators of attack (IOA); from January as a phishing attempt, a method that looks at the
The growth and increasing complexity of attacks is handled and considered without loss of resolution,
2020 to today, there has been a 79% growth in IOAs. specifics of the email without a predetermined rule is
also evident in the evolution of the MITRE ATT&CK which happens when an event is classified into
more advantageous in determining a verdict.
framework. The changing nature of attacker a bucket.
TTPs compounds the difficulty defenders face in
confronting and remediating attacks. In 2015, it was
possible to bucket attacks into nine tactics and 96
techniques and differentiate their treatment with
rules. Today, the diversity of TTPs requires hundreds
of differentiated rules and nuanced treatment,

79%
making it harder than ever to alleviate the volume of
incidents by automation alone.

growth in number of
indicators of attack
since 2020
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 100

Using generative AI to understand cyberattacks and produce tailored mitigations continued Introduction Emerging threat landscape AI for defense Advancing global AI security

With all added enrichments, we can then leverage The culmination of these elements, without a pre-
Rules-based approach With generative AI generative AI to help with a summary, a verdict determined rule, is the foundation for a factual
recommendation, and a containment plan. verdict and the certainty around it. This is where
generative AI comes into play, as the True Positive/
Typical prompting examples include:
False Positive decision is reflective of the specific
▪ “Triage the following email and point out what set of contexts and findings for the email. One may
ALERT ALERT you find suspicious? Investigate the Message- argue that task-based AI such as Bayesian tools
ID for any inconsistencies or signs of spoofing. could achieve the same result. However, based on
I’m specifically interested in a sense of urgency, current research our hypothesis is that generative AI
generic greetings, spelling or grammar mistakes, will offer more flexibility to manage the ever-growing
Classification engine Predictive remediation requests for personal information….” variety of events and cases, while Bayesian tools
▪ “Based on the above email investigation, have a narrower scope and diminished flexibility.
summarize the investigation steps that were A high volume of alerts, which also contain false
taken and provide supporting evidence on the positives, forces SOC analysts to focus on reactive
1 2 3 4 Custom remediation task percentage of certainty that this is a true positive tasks and takes focus away from proactive efforts
phishing incident.” to improve security posture, which would result
▪ “Based on your investigation, create a in fewer alerts. Previously, this loop was hard to
Predefined remediation tasks​ containment plan.” break. However, the advent of a new AI-based
methodology to apply to incoming volume and pre-
qualify which alerts may need an investigation and
which are not likely to require one is a positive step
forward that will allow SOC teams to allocate more
A rules-based approach limits your remediation options to predefined tasks. With generative AI, alert treatment time to proactive tasks.
is generalized to produce a unique remediation that is the predictive next step of the specific facts of the alert.
Each remediation will be unique to the facts of the alert, and it does not rely on a predetermined classification
of remediations.

Additional automated enrichments can then be provided including:

▪ Finding a domain’s reputation.
▪ Associating domain, sender, and return path to threat articles.
▪ Checking the same email subject line sent to other users across the organization.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 101

Introduction Emerging threat landscape AI for defense Advancing global AI security

How governments and industries are advancing global AI security

AI is not new in the cybersecurity field. Government approaches

For many years it has been used to
detect malware by using ML, but recent to AI security
breakthrough advancements are now While there is a consensus on
changing the depth and breadth of the importance of security in the
its impact. development of AI, governments
have pursued different approaches in
We are now facing key questions such as: how
to harness the power of AI to turbocharge our
implementing security requirements.
cybersecurity defenses while deterring adversaries
from exploiting it for malicious cyber activity? Or how These approaches mainly focus on the secure
do we protect AI models against cyber threat actors? design, development, deployment, and operation
of AI. Examples of security measures that target the
Governments worldwide have recognized that AI secure design and deployment of AI systems include
offers both benefits and risks for society. As they preliminary risk assessments to identify potential
pursue AI regulatory approaches that seek to balance vulnerabilities and to design mitigation measures,
those benefits and risks, their efforts vary in scope adversarial testing such as red teaming to address
and scale. These differences among governments’ unidentified vulnerabilities, and data management
policy initiatives are not surprising; they reflect the systems to guarantee quality and trusted data.
core values of the governments’ leadership, the
countries’ legal and constitutional frameworks, and Security measures that target the secure deployment
the state of the technology industry and its potential and operation of AI systems include mechanisms to
for future growth. Despite these differences, safety protect them against misuse by users or third-party
and security are emerging as core principles pursued attackers, such ongoing auditing and monitoring
by the majority of governments as they encourage mechanisms, incident reporting, and automatic
the safe and responsible development, deployment, record-keeping systems.
and use of AI.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 102

Government approaches to AI security continued Introduction Emerging threat landscape AI for defense Advancing global AI security

The United States Furthermore, the FY24 National Defense The European Union Other legislative initiatives
Authorization Act (NDAA)61 includes several
The 2023 Executive Order (E.O.) 14110 on Safe, The EU’s Artificial Intelligence Act (AI Act), the first Brazil and Costa Rica have proposed legislation
provisions designed to strengthen the DOD’s use
Secure, and Trustworthy Development and Use of ever horizontal legal framework on AI, requires that would impose on all AI systems certain
of AI in its defense operations. Under the NDAA,
Artificial Intelligence60 directs US federal agencies providers of high-risk AI systems and general- security requirements (for example, parameters
the DOD must: develop a bug bounty program
to implement the policies set forth in the E.O, purpose AI (GPAI) models with systemic risk, to for separating and organizing training data;
for foundation AI models being integrated into
including taking a series of actions focused on safety implement security measures. The AI Act requires information security measures; human rights
the “missions and operations” of the Department
and security of AI technology. The US approach is providers of high-risk AI systems to ensure that such impact assessments), with additional requirements
to strengthen cyber defense resiliency; establish a
notable in two ways: first, it imposed mandatory systems achieve an appropriate level of accuracy, for high-risk systems. Meanwhile, China has
prize competition designed to evaluate technology
cybersecurity measures on federal agency use of robustness, and cybersecurity, and perform adopted the most stringent approach imposing
for generative AI detection and watermarking
AI without extending them to the private sector. consistently in those respects throughout their security requirements on all covered AI systems.
to support the DOD’s warfighting requirements;
Second, it leverages government action to enhance lifecycle. Providers of GPAI models with systemic These requirements include technology ethics
establish and review guidance around the
AI capabilities for cyber defense. For example, EO risk are required to ensure an adequate level of reviews; user registration and verification; measures
Department’s near-term and long-strategies for the
14110 directs the Department of Defense (DOD) and cybersecurity protection of the model, as well as to counter telecommunication network fraud; and
adoption and use of AI; and assess the potential
Department of Homeland Security (DHS) to plan and its physical infrastructure. The AI Act also requires the use of accurate and lawful training data.
vulnerabilities of AI-enabled military applications,
conduct pilot projects for how AI capabilities can aid providers (and deployers in some cases) of high-
including assessments of research and development Finally, other countries have published voluntary
in the discovery and remediation of vulnerabilities risk AI systems, and providers of GPAI models with
efforts needed to advance AI-enabled military guidelines and codes of conduct that suggest
in critical US Government software, systems, and systemic risk, to report serious incidents to relevant
applications. The US Government administration has security measures for private sector entities.
networks. The DOD has been tapped to spearhead governmental authorities as well as relevant actors in
also announced it will release a National Security For example, under the UK National Cyber
actions for national security systems, while the the AI value chain.
Memorandum (NSM)62 that addresses the regulation Security Centre (NCSC)’s guidelines, companies
DHS will spearhead actions for US Government
of AI systems for national security, military, and should consider complying with measures such
civilian systems.
intelligence purposes. as identification of threats and risks; acquisition
of well-secured and well-documented hardware
and software; and documentation of models and
datasets. Canada, Japan, and Singapore have
published similar codes of conduct.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 103

Government approaches to AI security continued Introduction Emerging threat landscape AI for defense Advancing global AI security

Cyber Point of View: Albania

Transparency, advanced technologies, One of the key components in AKSHI’s success
and generative AI to combat malicious was transparency throughout the process and
state-sponsored cyberattacks the swift adoption of automation, advanced
technologies, and generative AI. This enabled
In July 2022, Iran launched a devastating
AKSHI to fortify its defenses, boost cybersecurity
cyberattack designed to cripple Albania’s digital
resilience, and detect and respond to cyber threats
infrastructure. The National Agency for Information
more effectively. By providing real-time insights
Society (AKSHI), responsible for managing
and predictive analytics, AKSHI was able to stay
approximately 95% of the government’s digital
ahead of the attackers.
services, was the biggest target.
This success story is a testament to the
In response, AKSHI acted decisively, stopping the
transparency, resilience, and determination of
attackers from causing additional damage and
AKSHI’s leaders and cybersecurity professionals.
embarking on a journey to invest in enhancing
By turning a crisis into an opportunity for growth
its cybersecurity maturity. AKSHI partnered
and innovation, AKSHI has set a new standard for
with diplomatic partners and industry leaders
cybersecurity excellence and is now taking full
to gather intelligence and implement cutting-
advantage of generative AI capabilities to enhance
edge technologies and innovative strategies
its cybersecurity infrastructure and improve
to protect its digital assets from ongoing and
services for Albania’s citizens.
continuous attacks.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 104

Introduction Emerging threat landscape AI for defense Advancing global AI security

Collaborative policy initiatives for AI security

Organizations around the world are collaborating to advance
government policy initiatives on enhanced AI security.

July 2023 November 2023 January 2024 April 2024 May 2024 June 2024
▪ Microsoft, Anthropic, Google and ▪ The UK launched the world’s first ▪ CISA’s cross-sector analysis ▪ In April 2024, building on the ▪ The second global AI summit secured ▪ Microsoft funded the Securing
OpenAI launched Frontier Model safety institute to spur collaboration of sector-specific AI risk NCSC secure AI development safety commitments from companies. Critical Infrastructure in the Age of
Forum, an industry body focused on AI’s safety with leading AI assessments completed by guidelines release in 2023, the It is a new agreement74 between 10 AI workshop led by Georgetown
on ensuring safe and responsible companies and nations.65 sector risk management US National Security Agency’s countries and the EU to establish an University’s Center for Security and
development of frontier AI ▪ The US Department of Commerce, agencies. Microsoft provided Artificial Intelligence Security Center international network similar to the Emerging Tech (CSET). CSET will
models.63 through National Institute of recommendations through the IT published the joint Cybersecurity UK’s AI Safety Institute,75 the world’s publish a report based on findings
Standards and Technology (NIST) Sector Coordinating Council - a Information Sheet Deploying AI first publicly backed organization from the workshop offering
August 2023 announced the US Artificial public private partnership for Systems Securely71 in collaboration to accelerate the advancement of policy recommendations for AI
▪ The White House announces Intelligence Safety Institute (USAISI) collaboration between IT sector with CISA, the US Federal Bureau of AI safety science. The network will security in critical infrastructure.
the AI Cyber Challenge, for to lead the US Government’s efforts and the Department of Homeland Investigation, the Australian Signals promote a common understanding Expected publication date:
cybersecurity researchers to spur on AI safety and trust, including Security (DHS). Directorate’s Australian Cyber of AI safety and align its work with September 2024.
the use of AI to identify and fix working with partners in academia, Security Centre, the Canadian Centre research, standards, and testing. ▪ Microsoft hosted and participated
software vulnerabilities.64 Microsoft industry, government, and civil
February 2024 for Cyber Security, the New Zealand Australia, Canada, the EU, France, in the first federal AI security
committed to host competition on society to advance AI safety.66 ▪ The Japanese government launched National Cyber Security Centre, Germany, Italy, Japan, Singapore, tabletop exercise led by CISA
Microsoft Azure. a new AI Safety Institute within the and the United Kingdom’s National South Korea, the UK, and the US have JCDC.AI,78 convening more
▪ The Bletchley Agreement for Cyber Security Centre. signed the agreement.76
Information-technology Promotion than 50 AI experts from US and
collaboration resulted from an AI
Agency (IPA) in collaboration with ▪ The US Department of Homeland ▪ Microsoft released a blueprint international agencies and industry
Safety Summit convened by the UK
relevant ministries and agencies.69 Security (DHS) released Safety for mutual prosperity through AI partners focused on effective
and including the US, EU, and China,
The Institute aims to examine and Security Guidelines for governance in Korea.77 and coordinated responses to AI
likeminded AI companies, and 28
evaluation methods and standards Critical Infrastructure Owners and security incidents.
country delegations.67
related to AI. Japan plans to Operators.72 Microsoft contributed
▪ Microsoft contributed to the collaborate with the UK and the US. to the cross-sector risk assessments
development of secure AI system that informed the DHS guidance.
guidelines alongside the UK National March 2024
Cyber Security Centre (NCSC), and the ▪ Microsoft joined the DHS AI Safety
▪ The US Department of Treasury and Security Board (AISSB).73 The
US Cybersecurity and Infrastructure
released a report on the current AISSB advises the DHS Secretary, the
Security Agency (CISA),68 among
state of AI-related cybersecurity critical infrastructure community,
others. It was co-sealed by 23
and fraud risks in financial services, other private sector stakeholders,
domestic and international
including an overview of current AI and the broader public on the
cybersecurity organizations.
use cases, trends of threats and risks, safe, secure, and responsible
This publication marked a
best-practice recommendations, development and deployment
significant step in addressing
and challenges and opportunities.70 of AI technology in our nation’s
the intersection of AI, cybersecurity,
and critical infrastructure. critical infrastructure.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 105

Introduction Emerging threat landscape AI for defense Advancing global AI security

International standards The benefits of international standards The requirements in ISO/IEC 42001 are intended
to be auditable to achieve certification including Actionable Insights
for AI security The AI regulatory landscape is evolving almost as
fast as AI itself. Just as there is a demand for regional
helping to manage responsible AI across supply
chains as well as provide a foundation that can help 1 Existing cybersecurity standards provide
and national standards, there are also many benefits
Security vulnerabilities and risks arising from with regulatory compliance. good practice to secure all types of
to international standards.
adversarial manipulation of AI systems can be information systems, including AI systems,
exploited and impact everything from confidentiality International standards can mitigate fragmentation ISO/IEC 27090 throughout their lifecycle. As controls to
to human safety. Therefore, standards are becoming and ensure more consistency, good practice, ISO/IEC 27090 is being developed to provide address risks specific to AI systems mature,
essential to improve awareness and understanding controls, and even conformity assessment, especially guidance for addressing security threats to AI new standards will be developed. A multi-
of AI, address regulatory concerns and requirements, where supply chains, threat actors, and applications systems. The standard aims to help organizations stakeholder approach is essential for the
and extend good practice and consistency across are of a global nature. International standards can better understand the consequences of security development of pragmatic and useful
the industry. Standards can also help build trust and also help to facilitate cooperation, innovation, threats specific to AI systems throughout their standards to help all types of organizations
confidence in AI systems among stakeholders such and competition. lifecycle, such as evasion attacks, data poisoning, to manage security.
as users, customers, regulators, and society at large. model stealing, and membership inference attacks. 2 Security underpins a responsible AI
ISO/IEC 42001
The document also describes how to detect and approach; international standards can be
Under ISO/IEC 42001, organizations are guided mitigate such threats. ISO/IEC 27090 starts with the used to demonstrate an overall responsible
in establishing continually improving risk-based premise that AI systems are information systems. AI approach, accountability, and effective
processes to support responsible use of AI Therefore, conventional cybersecurity measures– mitigation against harm and safety risks.
throughout the AI system lifecycle. including those in international standards such as
3 International standards can help mitigate
There are also crosswalks79 available to map the NIST ISO/IEC 27002 information security controls, and
fragmentation, ensure consistent
AI Risk Management Framework. Many responsible zero trust principles–are the foundation to mitigating
practices globally, and facilitate trust
AI practices were born out of information security security risks to AI systems and for securing the
and cooperation. International standards
practices. Responsible AI red teaming is one such datasets associated with AI systems.
continue to uphold the accountability of
practice, where real-world adversarial behaviors trust even while regional standards are in
are emulated in an attempt to expose AI system demand to support regulatory frameworks.
vulnerabilities which can lead to harmful outputs,
especially through prompt injection attacks.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 106

Introduction Emerging threat landscape AI for defense Advancing global AI security

Staying a step ahead To stay ahead of threat actors in the age of AI,
Microsoft’s policy follows the principles below:
of threat actors in the ▪ Identification and action against malicious
age of AI use of Microsoft AI: Upon detection of the use
of any Microsoft AI APIs, services, or systems
Our experts and automated systems by an identified malicious actor, Microsoft
analyze and correlate across the will take appropriate action to disrupt their
activities, for example by disabling the accounts
thousands of threat actors we track,
used, terminating services, or limiting access
uncovering efforts to evade detection or to resources.
expand their capabilities by leveraging ▪ Notification to other AI service providers:
new technologies like AI. When we detect a threat actor’s use of another
service provider’s AI, AI APIs, services, and/or
In February, Microsoft and OpenAI released systems, Microsoft will notify the service provider
publications80 discussing the emergence of nation- and share relevant data. This enables the provider
state threat actors utilizing AI for malicious purposes. to independently verify our findings and take
Microsoft also released a set of policy principles action in accordance with their own policies.
to mitigate the risks associated with the use of These principles reflect Microsoft’s commitment to prioritizing security and responsible AI innovation, which
▪ Collaboration with other stakeholders: includes the safety and integrity of our technologies with respect for human rights and ethical standards.
AI tools and application programming interfaces
Microsoft will collaborate with other industry and
(API) by nation-state advanced persistent threats These principles build on our Responsible AI practices, our commitments to advance responsible AI innovation,
civil society stakeholders to regularly exchange
(APT), advanced persistent manipulators (APM), and and the Azure OpenAI Code of Conduct. We also follow these principles as part of our broader commitments
information about threat actors’ use of AI.
cybercriminal syndicates. to strengthening international law and norms and to advance the goals of the Bletchley Declaration.
This collaboration aims to promote collective,
consistent, and effective responses to ecosystem-
wide risks.
▪ Transparency: Microsoft will inform the public
and stakeholders about threat activity, including Links
the nature and extent of threat actors’ use of AI Staying ahead of threat actors in the age of AI |
detected by our systems and the measures taken Microsoft Security Blog | Feb 2024
against them, as appropriate.
Global Governance: Goals and Lessons for AI |
Sep 2024
Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 107

Appendix References 108

Additional Contributing teams 110

information
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 108

References Overview
13. Microsoft Content Integrity tools are available in private
preview for political campaigns and newsrooms to
provide more transparency into who created the image,
25. Microsoft, I4C block 1,000 Skype accounts tied to cyber
criminals (msn.com)

1. Expanding Microsoft’s Secure Future Initiative (SFI) | whether it’s AI generated, the publisher, when and 26. Indian call centre fraudster is jailed for 28 months for
Microsoft Security Blog | May 2024 where the image was created, and whether the image Microsoft scam | Daily Mail Online
has been edited.
27. Amazon, Microsoft, and India crack down on tech
14. Breeker US V10 16x9 VO2 QR 2 (youtube.com) support scams - The Verge
Chapter 1. 15. Source: The original YouTube account has since been 28. Losses from Online Payment Fraud to Exceed
The evolving cyber threat landscape removed: youtube.com/@truetjl $362 Billion Globally Over Next 5 Years | Press
(juniperresearch.com)
2. National Security Strategy of Japan | Dec 2022 16. https://archive.is/H1HgA (Taiwan)
29. https://usa.visa.com/partner-with-us/payment-
3. Publications | Japan Ministry of Defense 17. https://blogs.microsoft.com/wp-content/uploads/prod/ technology/visa-tokenization.html
sites/5/2023/11/MTAC-Report-2024-Election-Threat-
4. ISMAP Overview Assessment-11082023-2-1.pdf 30. Top 15 Phishing Stats to Know in 2024 | Trend
Micro News
5. Exclusive: UN experts investigate 58 cyberattacks worth 18. https://www.youtube.com/watch?v=kbLBJb3UpYQ;
$3 bln by North Korea | Reuters 31. The Coalition for Content Provenance and Authenticity
https://web.archive.org/web/20240423173006/ (C2PA), the global standards body responsible for
6. Half of North Korean missile program funded by Content Credentials, continues to gain momentum with
https://sanfranchron.com/2024/04/21/17/web.archive. over 150 members, adding Google, OpenAI, and many
cyberattacks and crypto theft, White House says | org/web/20240423034950/
CNN Politics others in 2024.
https://bostontimes.org/2024/04/21/do-everything-to-
7. Microsoft Digital Defense Report 2022 prevent-donald-trump-from-winning-the-elections- 32. Account Takeover Incidents are Rising: How to Protect
leak-from-ukrainian-troll-factory/ Yourself in 2024 | Security.org
8. IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple
Sectors, Including U.S. Water and Wastewater Systems 19. https://t.me/DonaldJTrump29/1612 33. How effective is multifactor authentication at deterring
Facilities | CISA cyberattacks? - Microsoft Research
20. China tests US voter fault lines and ramps AI content
9. Telegram channel “KARMA” — @karmabelow80 to boost its geopolitical interests - Microsoft On 34. Identity Reveal: The Threat Actor Behind ONNX Store
statistics — TGStat the Issues) and Caffeine Phishing Kit | Blog | Dark Atlas | Dark
Web Monitoring Platform | Compromised Credentials
Monitoring | Account Takeover Prevention Platform |
10. https://darktrace.com/blog/amadey-info-stealer- 21. Source: globaltimes.cn/page/202407/1315977.shtml Threat Intelligence | Buguard
exploiting-n-day-vulnerabilities
22. Technology boosting global financial crime, INTERPOL 35. Cybersecurity Threats in Online Gaming: Learnings for
11. A report on NOBELIUM’s unprecedented nation-state warns | World Economic Forum (weforum.org) India (orfonline.org)
attack | Microsoft Security Blog
23. KPMG 2022 Fraud Outlook Survey - KPMG Global
12. Exposed and vulnerable: Recent attacks highlight
critical need to protect internet-exposed OT devices | 24. https://www.ic3.gov/Media/PDF/AnnualReport/2023_
Microsoft Security Blog IC3Report.pdf
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 109

References continued

58. Randomized Controlled Trials for Microsoft Copilot for 71. CSI-DEPLOYING-AI-SYSTEMS-SECURELY.PDF (defense.
Chapter 2. Chapter 3. Security by Benjamin G. Edelman, James Bono, Sida gov)
Peng, Roberto Rodriguez, Sandra Ho :: SSRN
Centering our organizations on security Early insights: AI’s impact on cybersecurity
72. Safety and Security Guidelines for Critical Infrastructure
59. Updates | MITRE ATT&CK® Owners and Operators | Homeland Security (dhs.gov)
36. Passkeys (Passkey Authentication) (fidoalliance.org) 49. Completely Automated Public Turing test to tell
Computers and Humans Apart
60. Executive Order on the Safe, Secure, and Trustworthy 73. Artificial Intelligence Safety and Security Board |
37. FIDO Alliance - Open Authentication Standards More
Development and Use of Artificial Intelligence | The Homeland Security (dhs.gov)
Secure than Passwords 50. Internet of Things Market Overview 2024-2028, Internet
White House
Of Things Industry 2024 (reportlinker.com)
74. Seoul Declaration for safe, innovative and inclusive AI:
38. The Accra Call for Cyber Resilient Development - GC3B
61. H.R.2670 - National Defense Authorization Act for Fiscal AI Seoul Summit 2024 - GOV.UK (www.gov.uk)
– Global Conference On Cyber Capacity BuildingGC3B – 51. Slovakia’s Election Deepfakes Show AI Is a Danger to
Year 2024
Global Conference On Cyber Capacity Building Democracy | WIRED
75. The AI Safety Institute (AISI)
62. USGA announces a national security memorandum
39. Election Security Advisors One-Pager (microsoft.com) 52. FRANCE 24 journalist impersonated in new deepfake
video - Truth or Fake 76. In Seoul summit, heads of states and companies
63. Microsoft, Anthropic, Google, and OpenAI launch commit to AI safety | TechCrunch
40. AI Elections accord - A Tech accord to Combat
Deceptive Use of AI in 2024 Elections 53. Dmitry Medvedev on X: “Macron seems to have been
so scared of a real, or presumed assassination in nazi 64. White House launches AI cyber challenge to identify 77. New Digital Order: A blueprint for mutual prosperity
Kiev that not only has he cancelled his trip there, but and fix open-source software vulnerabilities | FedScoop through AI governance in Korea - Microsoft Stories Asia
41. Meeting the moment: combating AI deepfakes in
elections through today’s new tech accord - Microsoft also decided to share the nuclear capacity with other
On the Issues Europeans. Sure, such trifles as the Nuclear Non- 65. Prime Minister launches new AI Safety Institute - GOV. 78. CISA, JCDC, Government and Industry Partners Conduct
Proliferation Treaty are of no concern” / X UK (www.gov.uk) AI Tabletop Exercise | CISA
42. Microsoft announces new steps to help protect
elections - Microsoft On the Issues 54. UAE: Cyberattack disrupts TV services, rattles some 66. At the Direction of President Biden, Department of 79. NIST AIRC - Crosswalk Documents
residents with graphic content from Gaza - News | Commerce to Establish U.S. Artificial Intelligence
Khaleej Times Safety Institute to Lead Efforts on AI Safety | U.S.
43. Microsoft 365 for Campaigns 80. Staying ahead of threat actors in the age of AI |
Department of Commerce Microsoft Security Blog ; Disrupting malicious uses of AI
UAE: A Cyberattack Imitates TV Services And Unnerves
by state-affiliated threat actors | OpenAI
44. Keeping your vote safe and secure: A story from inside Some Locals With Explicit Material From Gaza - The
67. Countries agree to safe and responsible development
the 2020 election – On the Issues (microsoft.com) Emirates Times
of frontier AI in landmark Bletchley Declaration - GOV.
UK (www.gov.uk)
45. Microsoft AccountGuard Jadoo tv hacked by “For humanity 2023” (youtube.com)

68. CISA and UK NCSC Unveil Joint Guidelines for Secure AI

46. Election Security Advisors One-Pager (microsoft.com) 55. twitter.com/montaghemoun/
System Development | CISA
status/1778585175552561344
47. Microsoft and OpenAI launch Societal Resilience Fund - 69. Launch of AI Safety Institute (meti.go.jp)
Microsoft On the Issues 56. Automatic attack disruption in Microsoft Defender XDR
- Microsoft Defender XDR | Microsoft Learn
70. U.S. Department of the Treasury Releases Report on
48. Expanding our Content Integrity tools to support global Managing Artificial Intelligence-Specific Cybersecurity
elections - Microsoft On the Issues 57. Introducing Phi-3: Redefining what’s possible with SLMs
Risks in the Financial Sector | U.S. Department of
| Microsoft Azure Blog
the Treasury
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 110

Contributing teams

AI for Good Research Lab is a philanthropic, Azure Edge + Platform is responsible for Core Datacenter Services is responsible for global
applied research and data visualization lab that Microsoft’s operating systems, IoT and edge availability by implementing global standard
The Microsoft Digital Defense Report
is committed to leveraging the transformative products, engineering systems, and health platforms processes and delivering programs that maximize
(MDDR) has been a collaborative
power of AI to address some of the world’s most from the chip level to the cloud. E+P is the platform efficiency while optimizing safety, security,
effort. The data and insights it pulls
pressing challenges. In collaboration with subject team for the company and the foundation upon availability across our global datacenter portfolio
together have been compiled by a
matter experts in academia, NGOs, and all levels of which virtually every Microsoft product and service
diverse group of security-focused Corporate Standards Group represents Microsoft in
government, the Lab leverages Microsoft’s cloud is built.
professionals across various Microsoft multistakeholder organizations that are establishing
technology and data science talent to create solutions
teams. Their common goal is to C+E Governance leads and manages compliance standards on issues such as cybersecurity, artificial
across many disciplines and around the world.
protect Microsoft, its customers, and regulatory programs and initiatives for the C+ intelligence, and data. The team works with
and the world from the threat of AI Safety and Security is responsible for all aspects E organization, including payments compliance. governments, civil society, academia, and industry
cyberattacks, and we are proud to of AI safety, including pre-launch evaluation, incident The Commerce Risk Engineering Team harnesses to create coherent international practices that
share what we found as we work response, building safety infrastructure, training, cutting-edge AI, strategic risk containment can be used to develop, evaluate, and manage
towards building a safer environment research, and policy. solutions and engineering excellence to safeguard trustworthy technology.
for everyone. transactions across all of Microsoft and Xbox.
Azure DDoS Protection is responsible for Critical Infrastructure Networking & Cyber Defense
safeguarding Microsoft’s cloud infrastructure Central Fraud and Abuse Risk detects and is a global organization that provides safe, reliable
from distributed denial of service (DDoS) attacks. responds to Nation-state actors, criminal syndicates, connectivity and protection for operational
The team develops and maintains advanced network and common hackers who wish to cause financial technology assets required for Microsoft data
security solutions to detect, mitigate, and prevent and reputational harm to Microsoft, its customers, center operations.
DDoS threats, ensuring high availability and reliability and partners. To make the world safer for all, the
Customer Experience Engineering (CxE) drives
for Azure services and customers’ applications by team also partners with law enforcement, industry
better security outcomes by engaging directly with
minimizing the impact of malicious traffic. affiliates, and customers to share fraud insights.
customers throughout the product development
Cloud Ecosystem Security is responsible for process. By incorporating real-world feedback,
the core cloud security platform, data security, CxE ensures that Microsoft Security products
compliance, governance and privacy. The team also are tailored to meet customer needs and deliver
leads AI-powered threat and data intelligence, as enhanced satisfaction.
well as AI security research and development.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 111

Contributing teams continued

Data Security & Privacy provides comprehensive Enterprise & Security provides platform Extended Security Posture Management builds
solutions that empower customers to protect, technologies and solutions to manage and harden cross-domain pre-breach security solutions for
govern, understand, and manage their enterprise platforms against attacks. The team also empowers attack surface management and threat exposure
data across the Microsoft cloud – and beyond. company-wide security initiatives in Zero Trust, reduction. The team brings together posture
secure identity, secure devices, secure supply chain, management capabilities for devices, identities,
Democracy Forward works to preserve, protect,
and scale management from cloud. cloud, and applications into a set of consolidated
and advance the fundamentals of democracy
products serving security leaders and their teams.
by safeguarding open and secure democratic European Government Affairs represents
processes, promoting a healthy information Microsoft’s positions towards European political Global Cybersecurity Policy team focuses on
ecosystem, and advocating for corporate institutions, governments and other political actors. developing and advancing public policy that
civic responsibility. The team oversees a large variety of digital policies strengthens customer and ecosystem-wide
across Europe, including AI, Cloud, Sustainability and cybersecurity and resiliency at the intersection of
Digital Crimes Unit is an international team of
Cybersecurity policy. geopolitics and emerging technologies.
technical, legal, and business experts that has been
fighting cybercrime, protecting individuals and Global Hunting Oversight and Strategic Triage
Customer Security and Trust drives continuous organizations, and safeguarding the integrity of identifies threat actor victims across the Microsoft
improvement of customer security in Microsoft Microsoft services since 2008, through strategic Ecosystem, orchestrates rapid, effective, and
products and online services. Working with partnerships and engagements, the seizure of iterative improvements to reduce attack surface, and
engineering and security teams across the company, criminal infrastructure, and the disruption of global develops automated, repeatable solutions to security
the team ensures compliance, enhances security, and cyber threats and criminal networks. and analysis problems.
drives transparency to protect customers and the Digital Diplomacy is an international team of Identity & Network Access teams innovate
global ecosystem. former diplomats, policy makers, and legal experts and build solutions that manage and govern
Customer Success security teams collaborate with working to advance a peaceful, stable, and secure identities and access, including the consumer sign-
customers to accelerate their security transformation cyberspace in the face of rising nation-state conflict. in experience.
and modernization by sharing best practices, lessons Digital Security & Resilience is the organization Insights, Data Engineering, and Analytics
learned, and expert guidance. led by our Microsoft CISO, and is dedicated to Momentum and Storytelling curates metrics used
Data Intelligence collaborates with partners in enabling Microsoft to build the most trusted devices in non-financial public disclosures; helps craft the
the security organization to enhance the efficiency and services, while keeping our company and messages around those metrics, and ensures that
and effectiveness of processes related to risk customers protected. the messages align with Microsoft’s perspectives.
and resilience, findings analysis, standards and
compliance and device security, among others. The
team uses machine learning and Generative AI to
learn from structured and unstructured data.
 Microsoft Digital Defense Report 2024 Overview The evolving cyber threat landscape Centering our organizations on security Early insights: AI’s impact on cybersecurity Appendix 112

Contributing teams continued

Microsoft Counterintelligence Program is a team Microsoft Threat Intelligence Center (MSTIC) Office of the Chief Scientific Officer leads
that assesses threat and vulnerability information identifies, tracks, and disrupts the most sophisticated strategic initiatives at the confluence of the sciences,
to inform leadership and formulate mitigation nation-state and financially motivated threat actors technology, and society, including frontier efforts
strategies to predict, deter, and investigate threat impacting Microsoft and its customers. To deliver in AI.
activity directed against Microsoft. The team on this mission, MSTIC collects and analyzes threat
Operational Threat Intelligence Center (OpTIC) is
also advises on how to improve related security information to produce actor-centric cyber threat
responsible for managing and disseminating cyber
and business practices to minimize or prevent intelligence and delivers high quality finished
threat intelligence that supports the investigation
exploitable vulnerabilities. intelligence analysis, detections, and insights across
and mitigation of threats impacting Microsoft.
Microsoft’s security solutions.
Microsoft Defender Experts is a managed Threat OpTIC delivers actionable intelligence to security
Hunting and Extended Detection and Response Microsoft Threat Protection Research is a team teams, leadership, and engineering groups including
service that proactively looks for threats 24/7/365 that combines the trillions of signals we see daily proactive and reactive technical analysis of adversary
using Microsoft Defender data. with world class security research into highly behaviors, and strategic reporting.
sophisticated and emerging threats to deliver
Microsoft Incident Response (Detection and The US Government Affairs team advances
prevention, detection, response and automated
Response Team) is an organization of security collaborative discussions with US federal and state
disruption capabilities to more than 1 billion devices
experts with deep technical and industry skills who government representatives, policymakers, and
across all domains (Endpoint, Identity, Office, Cloud,
provide incident hunting, cyber resilience and threat third-party groups, as well as the UN and other
IoT/OT.)
intelligence services to customers. Microsoft Incident international organizations. The team oversees
Response maintains strategic partnerships with National Security Officers A team of globally a large variety of policy priorities including AI,
security organizations, governments, and many based senior cybersecurity experts working with Cybersecurity, Cloud, Sustainability and Competition.
internal Microsoft groups. government stakeholders, ranging from advising
Worldwide Public Sector empowers people,
on best practice cyber guidelines, support with
Microsoft Threat Analysis Center is a team of societies, and public sector organizations around the
driving compliancy and, certification of Microsoft’s
experts who analyze nation-state threats, including world with cutting-edge technology and services for
services and products in countries with particular
cyberattacks and influence operations, by combining effective digital transformation.
national requirements.
cyber threat intelligence with geopolitical analysis,
and provide insights to customers and Microsoft for Office of Responsible AI (ORA) collaborates with
effective response and protection. stakeholders across Microsoft to develop policies,
practices, and governance systems to uphold our
AI principles. ORA also helps to shape the new laws
needed to ensure that the promise of AI technology
is realized for the benefit of society at large.
Microsoft Digital Defense Report
The foundations and new frontiers of cybersecurity

Learn more: https://microsoft.com/mddr

Dive deeper: https://blogs.microsoft.com/on-the-issues/

Follow us for MDDR insights and more:

https://www.linkedin.com/showcase/microsoft-security/

For more news on cybersecurity policy follow us on:

https://www.linkedin.com/showcase/microsoft-on-the-issues/

A Microsoft Threat Intelligence report

October 2024