In 80% of the cyber incidents Microsoft’s safety groups investigated final 12 months, attackers sought to steal knowledge—a development pushed extra by monetary acquire than intelligence gathering. In response to the newest Microsoft Digital Protection Report, written with our Chief Data Safety Officer Igor Tsyganskiy, over half of cyberattacks with identified motives have been pushed by extortion or ransomware. That’s no less than 52% of incidents fueled by monetary acquire, whereas assaults targeted solely on espionage made up simply 4%. Nation-state threats stay a critical and chronic risk, however many of the rapid assaults organizations face as we speak come from opportunistic criminals trying to make a revenue.
Day by day, Microsoft processes greater than 100 trillion indicators, blocks roughly 4.5 million new malware makes an attempt, analyzes 38 million id danger detections, and screens 5 billion emails for malware and phishing. Advances in automation and available off-the-shelf instruments have enabled cybercriminals—even these with restricted technical experience—to increase their operations considerably. The usage of AI has additional added to this development with cybercriminals accelerating malware growth and creating extra practical artificial content material, enhancing the effectivity of actions equivalent to phishing and ransomware assaults. Because of this, opportunistic malicious actors now goal everybody—massive or small—making cybercrime a common, ever-present risk that spills into our day by day lives.
On this surroundings, organizational leaders should deal with cybersecurity as a core strategic precedence—not simply an IT challenge—and construct resilience into their know-how and operations from the bottom up. In our sixth annual Microsoft Digital Protection Report, which covers tendencies from July 2024 by means of June 2025, we spotlight that legacy safety measures are not sufficient; we’d like trendy defenses leveraging AI and powerful collaboration throughout industries and governments to maintain tempo with the risk. For people, easy steps like utilizing robust safety instruments—particularly phishing-resistant multifactor authentication (MFA)—makes an enormous distinction, as MFA can block over 99% of identity-based assaults. Beneath are among the key findings.
Vital companies are prime targets with a real-world influence
Malicious actors stay targeted on attacking essential public companies—targets that, when compromised, can have a direct and rapid influence on folks’s lives. Hospitals and native governments, for instance, are all targets as a result of they retailer delicate knowledge or have tight cybersecurity budgets with restricted incident response capabilities, typically leading to outdated software program. Previously 12 months, cyberattacks on these sectors had real-world penalties, together with delayed emergency medical care, disrupted emergency companies, canceled faculty courses, and halted transportation techniques.
Ransomware actors particularly give attention to these essential sectors due to the targets’ restricted choices. For instance, a hospital should rapidly resolve its encrypted techniques, or sufferers might die, probably leaving no different recourse however to pay. Moreover, governments, hospitals, and analysis establishments retailer delicate knowledge that criminals can steal and monetize by means of illicit marketplaces on the darkish internet, fueling downstream legal exercise. Authorities and business can collaborate to strengthen cybersecurity in these sectors—significantly for probably the most susceptible. These efforts are essential to defending communities and making certain continuity of care, training, and emergency response.
Nation-state actors are increasing operations
Whereas cybercriminals are the largest cyber risk by quantity, nation-state actors nonetheless goal key industries and areas, increasing their give attention to espionage and, in some circumstances, on monetary acquire. Geopolitical aims proceed to drive a surge in state-sponsored cyber exercise, with a notable enlargement in focusing on communications, analysis, and academia.
Key insights:
- China is continuous its broad push throughout industries to conduct espionage and steal delicate knowledge. State-affiliated actors are more and more attacking non-governmental organizations (NGOs) to increase their insights and are utilizing covert networks and susceptible internet-facing gadgets to achieve entry and keep away from detection. They’ve additionally develop into quicker at operationalizing newly disclosed vulnerabilities.
- Iran goes after a wider vary of targets than ever earlier than, from the Center East to North America, as a part of broadening espionage operations. Just lately, three Iranian state-affiliated actors attacked transport and logistics companies in Europe and the Persian Gulf to achieve ongoing entry to delicate industrial knowledge, elevating the likelihood that Iran could also be pre-positioning to have the power to intrude with industrial transport operations.
- Russia, whereas nonetheless targeted on the struggle in Ukraine, has expanded its targets. For instance, Microsoft has noticed Russian state-affiliated actors focusing on small companies in nations supporting Ukraine. In truth, outdoors of Ukraine, the highest ten nations most affected by Russian cyber exercise all belong to the North Atlantic Treaty Group (NATO)—a 25% enhance in comparison with final 12 months. Russian actors might view these smaller firms as presumably much less resource-intensive pivot factors they’ll use to entry bigger organizations. These actors are additionally more and more leveraging the cybercriminal ecosystem for his or her assaults.
- North Korea stays targeted on income technology and espionage. In a development that has gained vital consideration, hundreds of state-affiliated North Korean distant IT staff have utilized for jobs with firms around the globe, sending their salaries again to the federal government as remittances. When found, a few of these staff have turned to extortion as one other method to bringing in cash for the regime.
The cyber threats posed by nation-states have gotten extra expansive and unpredictable. As well as, the shift by no less than some nation-state actors to additional leveraging the cybercriminal ecosystem will make attribution much more difficult. This underscores the necessity for organizations to remain abreast of the threats to their industries and work with each business friends and governments to confront the threats posed by nation-state actors.
2025 noticed an escalation in using AI by each attackers and defenders
Over the previous 12 months, each attackers and defenders harnessed the ability of generative AI. Risk actors are utilizing AI to spice up their assaults by automating phishing, scaling social engineering, creating artificial media, discovering vulnerabilities quicker, and creating malware that may adapt itself. Nation-state actors, too, have continued to include AI into their cyber affect operations. This exercise has picked up up to now six months as actors use the know-how to make their efforts extra superior, scalable, and focused.
For defenders, AI can also be proving to be a priceless software. Microsoft, for instance, makes use of AI to identify threats, shut detection gaps, catch phishing makes an attempt, and shield susceptible customers. As each the dangers and alternatives of AI quickly evolve, organizations should prioritize securing their AI instruments and coaching their groups. Everybody—from business to authorities—should be proactive to maintain tempo with more and more refined attackers and to make sure that defenders maintain forward of adversaries.
Adversaries aren’t breaking in; they’re signing in
Amid the rising sophistication of cyber threats, one statistic stands out: greater than 97% of id assaults are password assaults. Within the first half of 2025 alone, identity-based assaults surged by 32%. Meaning the overwhelming majority of malicious sign-in makes an attempt a corporation would possibly obtain are by way of large-scale password guessing makes an attempt. Attackers get usernames and passwords (“credentials”) for these bulk assaults largely from credential leaks.
Nevertheless, credential leaks aren’t the one place the place attackers can acquire credentials. This 12 months, we noticed a surge in using infostealer malware by cybercriminals. Infostealers can secretly collect credentials and details about your on-line accounts, like browser session tokens, at scale. Cybercriminals can then purchase this stolen data on cybercrime boards, making it straightforward for anybody to entry accounts for functions such because the supply of ransomware.
Fortunately, the answer to id compromise is easy. The implementation of phishing-resistant multifactor authentication (MFA) can cease over 99% of this kind of assault even when the attacker has the proper username and password mixture. To focus on the malicious provide chain, Microsoft’s Digital Crimes Unit (DCU) is combating again towards the cybercriminal use of infostealers. In Could, the DCU disrupted the most well-liked infostealer—Lumma Stealer—alongside the US Division of Justice and Europol.
Transferring ahead: Cybersecurity is a shared defensive precedence
As risk actors develop extra refined, persistent, and opportunistic, organizations should keep vigilant, frequently updating their defenses and sharing intelligence. Microsoft stays dedicated to doing its half to strengthen our services and products by way of our Safe Future Initiative. We additionally proceed to collaborate with others to trace threats, alert focused prospects, and share insights with the broader public when acceptable.
Nevertheless, safety isn’t solely a technical problem however a governance crucial. Defensive measures alone should not sufficient to discourage nation-state adversaries. Governments should construct frameworks that sign credible and proportionate penalties for malicious exercise that violates worldwide guidelines. Encouragingly, governments are more and more attributing cyberattacks to international actors and imposing penalties equivalent to indictments and sanctions. This rising transparency and accountability are necessary steps towards constructing collective deterrence. As digital transformation accelerates—amplified by the rise of AI—cyber threats pose dangers to financial stability, governance, and private security. Addressing these challenges requires not solely technical innovation however coordinated societal motion.
