Insights from the Microsoft Digital Defense Report 2023

Microsoft has released the fourth edition of its Digital Defence Report

Informed by data collected from Microsoft and its partners from July 2022 to June 2023, the report details security threats to business and presents actionable steps for mitigating cybercrime. 

Let’s look at some of the key findings.  

1. Basic security hygiene remains fundamental for defence 

Basic security hygiene continues to be an effective shield against a vast majority of cyber attacks, safeguarding against 99% of threats. 

The minimum security standards Microsoft recommends that all businesses adhere to include: 

  • Implement multifactor authentication (MFA) 

  • Apply Zero Trust principles 

  • Use extended detection and response (XDR) and antimalware software 

  • Keep all systems up to date, including firmware, operating systems and applications 

  • Identify critical data and its location for effective data protection

2. Most ransomware threats originate from unmanaged devices 

Up to 90% of successful ransomware compromises stem from unmanaged or bring-your-own devices. 

While the lack of comprehensive security measures on these devices makes them easy targets for cybercriminals, ransomware operators also increasingly exploit vulnerabilities in less commonly used software.  

Throughout the year, cybercriminals unleashed attacks across all sectors; nevertheless, critical infrastructure sectors continue to bear the brunt of ransomware encounters. There was a notable surge in attacks targeting small and medium-sized businesses (SMBs). Between July and September 2022, approximately 70% of organisations affected by human-operated ransomware attacks employed fewer than 500 personnel. 

Criminals are adopting tactics that add unpredictability and complexity to their attacks. This makes defence and prediction a greater challenge which is why Microsoft reiterates the importance of a holistic security approach. 

3. Surge in human-operated ransomware attacks 

Since September 2022, human-operated ransomware attacks have surged by over 200%. 

"Ransomware accounted for 31% of all Microsoft Incident Response customer engagements. "
Microsoft Digital Defense Report 2023

Despite the increase in ransomware attacks, there is a silver lining: organisations with robust security postures have a strong chance of thwarting these attacks, with only 2% of attempted attacks successfully transitioning to a full-blown ransomware deployment. 

The surge in human-operated ransomware attacks serves as a reminder to remain adaptable. Maintaining a flexible and proactive approach is indispensable for countering evolving tactics and preserving the resilience of your digital defences. 

4. Skyrocketing business email compromise (BEC) attacks 

The frequency of BEC attacks soared to over 156,000 daily attempts. 

Common BEC attack patterns include: 

  • Financial fraud: Attackers simulate domains to deceive users into thinking they're engaging with legitimate third parties. Some compromise third-party entities to request money transfers within genuine email threads, making these attacks challenging to identify. 

  • Internal phishing: After obtaining compromised identities through AiTM (Adversary in the Middle) attacks, threat actors conduct extensive internal phishing campaigns. These emails appear to come from genuine internal senders, making them difficult to detect—increasing the likelihood of recipients falling for the scam. 

  • Massive spam mailing: Perpetrators employ a denial-of-service strategy by subscribing victims to multiple email lists, forums, and newsletters, resulting in an overwhelming influx of emails. This tactic distracts and frustrates victims, making them less likely to notice critical warning or authentication messages in their inundated inboxes. 

The success of these attacks is largely due to increased focus on cloud-based infrastructure, exploiting trusted business relationships, and threat actors developing more specialised skills. Microsoft’s Digital Crimes Unit (DCU) believes increased intelligence sharing across the public and private sectors will help enable a more effective response against the threat actors behind these attacks. 

5. MFA fatigue and password attacks on the rise 

Microsoft's telemetry reveals a tenfold increase in attempted password attacks over the past year. 

Attempted attacks increased from approximately 3 billion per month in 2022 to 30 billion in 2023. This translates to an average of 4,000 password attacks per second. 

The prevalence of password attacks is primarily due to inadequate security measures, including neglecting to implement Multi-Factor Authentication (MFA).  

While not implementing MFA puts users at greater risk of brute force attacks, phishing and credential stuffing, attackers have adapted their tactics to circumvent this security control. Known as MFA fatigue or MFA bombing, attackers send MFA or passwordless sign-in prompts to deceive potential victims into approving these requests. By doing so attackers gain full access to users’ accounts, enabling attackers to manipulate MFA settings and sign in at will. 

"Approximately 6,000 MFA fatigue attempts were observed per day."
Microsoft Digital Defense Report 2023

In response, Microsoft introduced safeguards against abnormal passwordless sign-ins for all customers. They strongly recommend customers thoroughly review and validate all MFA and passwordless sign-in prompts before approving.  

6. Token replay remains a prevalent threat 

Token replay attacks have doubled in the past year, averaging 11 detections per 100,000 active users in Azure Active Directory Identity Protection. While constituting less than 3% of all identity compromises, the steady increase in detections illustrates that cybercriminals view token replay as an effective attack method. 

Organisations need to do more than just rely on MFA to mitigate against this type of attack. Microsoft recommends:   

  • Implementing risk-based and token protection policies in Conditional Access.  

  • Monitoring systems for signs of token replay. Use non-phishable credentials that bind the token to the legitimate user’s device, such as Windows Hello for Business and FIDO keys. 

Strengthening digital defences  

Microsoft's Digital Defense Report 2023 arms organisations with insights and serves as a resource for businesses aiming to fortify their cyber security posture. By understanding these key insights and trends, organisations can take proactive steps to enhance their digital defence strategies and mitigate potential cyber threats. 

You can access the full report here

Glyn Geoghegan   

Cyber security practices for small and medium-sized businesses

Don't let budget constraints hinder your business's cyber security efforts. Make strategic investments, build on existing knowledge and implement practical steps to build a robust digital defence. 


Securing your endpoints is critical for defence in depth

A look at why neglecting endpoint security could be a costly oversight. Jason Fairburn details how to strengthen your defence in depth strategy and prevent initial breaches.

Martin McGregor

Microsoft Intune helps Devicie reinvent end-user device security

Discover how Devicie leveraged Microsoft Intune to deliver a mix of security and productivity in a way that has not been possible before.