2025 Microsoft Digital Defense Report (MDDR)

The state of cyber defense

We are living through a defining moment in cybersecurity, where digital transformation and AI are pushing threats to new levels of speed, scale, and sophistication. Cyberattacks are no longer isolated IT issues; they shape economies, geopolitics, and public trust.

While defenders are already using AI to block billions in fraud, compress response times from hours to minutes, and scale protections globally, meeting this moment requires innovation to stay ahead of adversaries, resilience to recover from inevitable attacks, and partnership to strengthen culture and collaboration across industries and governments.

This is not a retrospective. It is a call to action: the threats are compounding, the timelines for attack and therefore response are shrinking, and the stakes extend far beyond IT systems. They reach into global stability, business continuity, and public trust.

This year’s report highlights the most pressing themes in today’s threat landscape, for example the increased use of AI by threat actors, the proliferation of infostealers, and the growth of cybercrime as a service, and the expanding role of nation-state threat actors. Alongside the data, it outlines clear defensive priorities, from strengthening identity and cloud resilience to disrupting criminal supply chains and building stronger partnerships.

Threat actors are turning to AI to scale phishing and automate intrusions. Defenders must innovate just as quickly—using AI, automation, and secure-by-default practices—to stay ahead. Last year, Microsoft thwarted $4 billion in fraud attempts and blocked 1.6 million bot-driven or fake account sign-ups every hour, demonstrating the scale of defenses needed to match the pace of adversaries.
Adversaries are increasingly attacking the cloud, with destructive campaigns up 87%. Resilience means operating through attacks, aided by security engineered into systems, supply chains, and governance. Security teams should follow the Zero Trust concept of assuming breach, and design for continuity.
Cybercrime is industrializing, with access brokers selling entry to thousands of organizations. Defenders must counter this cybercriminal economic growth with strong partnerships across industry peers, CERTs, governments, and internally by breaking silos and embedding security across teams.
AI-driven phishing is now three times more effective than traditional campaigns, and over 40% of ransomware attacks have a hybrid component. Defenders must counter with faster detection, automated response, and strategies built for scale.

Threat landscape

2025 marks a turning point in the cyber threat landscape, and AI is accelerating changes. Financially motivated cybercriminals remain the primary threat, driving most incidents. IT, government, and research and academia sectors are heavily targeted due to valuable data; however, cybercriminals remain financially motivated. Attackers favor phishing, unpatched assets, and exposed services, while infostealers fuel follow-on compromises. Nation-state actors remain focused on espionage but are also bringing AI into the fold.

Lighting the path to a secure future

Government, IT, and research and academia sectors were the most affected by cyber threats this year. These organizations manage critical public services and store vast amounts of sensitive data, including personally identifiable information (PII) and authentication tokens, which bad actors can use in future attacks.
The vast majority of cyber-attacks are conducted by cybercriminals, not nation-state actors. In attacks for which the motivation was known, Microsoft Incident Response found that only 4% were motivated by espionage. Data theft accounted for 37% of attacks, 33% of attacks had an extortion component, and, ransomware or destructive activity was noted in 19% of incidents.
Microsoft Incident Response found that 28% of breaches were initiated through phishing or social engineering, 18% were via unpatched web assets, and 12% leveraged exposed remote services. Not only are adversaries now heavily using the ClickFix social engineering method, but threat actors are incorporating exploits for known vulnerabilities faster than ever and incorporating new access methods like device code phishing.
Nation-state groups are pursuing more targets than ever. While motivations differ, the pattern is consistent: nation-state operations are driven by intelligence collection, targeting the systems and sectors that underpin global innovation, communications, and governance.

Commercialization of cybercrime

Cybercrime is industrialized, with access brokers selling entry to thousands of organizations and infostealers fueling a global dark web economy. This ecosystem thrives on data collection which occurred in nearly 80% of Microsoft Incident Response engagements in the past year. To counter it, organizations must classify and safeguard their most critical data, establish clear response procedures to meet legal and regulatory obligations, and maintain strong visibility and detection across environments.

If cybercrime is a supply chain problem, defenders must prioritize reducing the resale value of stolen data, monitor for infostealer activity, and collaborate across industries and governments to disrupt access brokers and criminal marketplaces.
Attackers prioritize data theft: 79% of ransomware cases Microsoft Incident Response engagements observed this year involved at least one remote monitoring and management (RMM) tool. Attackers engaged in data collection, fueling extortion and resale across criminal marketplaces.
Access brokers sell stolen credentials and footholds into thousands of organizations, fueling ransomware and fraud by making intrusions turnkey.
Business email compromise (BEC) continues to exemplify the commercialization of cybercrime. Once a manual, low-volume scam, it has shifted into a professionalized, service-based economy. Access brokers now sell stolen credentials and entire inboxes to BEC operators, who automate target selection and payment fraud at scale. This industrialized model lowers the barrier to entry for attackers and enables rapid monetization through extortion, invoice fraud, and account takeover schemes.
Infostealers, often delivered through malvertising or SEO poisoning, harvest credentials and tokens at scale, feeding a global dark web economy that enables ransomware and downstream compromise.

AI: A tool, threat, and vulnerability

As adversaries adopt AI, defenders must do the same. AI already neutralizes most identity attacks and helps security teams remediate threats quickly with fewer false alarms. Its applications span analytics, phishing detection, automated remediation, and incident response through AI agents. But adoption must be cautious: AI brings new vulnerabilities alongside its defensive power.

A strong security framework helps prepare for AI adoption; discover how AI is being used within the organization; protect sensitive data, AI agents, applications and models; and govern AI operations.
Deepfakes and AI-generated IDs are being weaponized to bypass verification checkpoints. The use of AI-driven forgeries grew 195% globally, with techniques now convincing enough to defeat selfie checks and liveness tests, such as simulating natural eye blinks or head turns.
AI brings defensive power but also expands the attack surface. Risks include adversarial prompts, data poisoning, and model manipulation, which can be exploited to bypass controls or mislead defenders. Building and deploying trustworthy AI is critical to reduce these vulnerabilities.
AI agents can act within seconds, suspending a compromised account and triggering a password reset as soon as multiple high-risk signals align, containing breaches before escalation.