Insights from the Microsoft Digital Defense Report 2023

Microsoft has released the fourth edition of its Digital Defence Report. 

Informed by data collected from Microsoft and its partners from July 2022 to June 2023, the report details security threats to business and presents actionable steps for mitigating cybercrime. 

Let’s look at some of the key findings.  

1. Basic security hygiene remains fundamental for defence 

Basic security hygiene continues to be an effective shield against a vast majority of cyber attacks, safeguarding against 99% of threats. 

The minimum security standards Microsoft recommends that all businesses adhere to include: 

• Implement multifactor authentication (MFA) 

• Apply Zero Trust principles 

• Use extended detection and response (XDR) and antimalware software 

• Keep all systems up to date, including firmware, operating systems and applications 

• Identify critical data and its location for effective data protection

2. Most ransomware threats originate from unmanaged devices 

Up to 90% of successful ransomware compromises stem from unmanaged or bring-your-own devices. 

While the lack of comprehensive security measures on these devices makes them easy targets for cybercriminals, ransomware operators also increasingly exploit vulnerabilities in less commonly used software.  

Throughout the year, cybercriminals unleashed attacks across all sectors; nevertheless, critical infrastructure sectors continue to bear the brunt of ransomware encounters. There was a notable surge in attacks targeting small and medium-sized businesses (SMBs). Between July and September 2022, approximately 70% of organisations affected by human-operated ransomware attacks employed fewer than 500 personnel. 

Criminals are adopting tactics that add unpredictability and complexity to their attacks. This makes defence and prediction a greater challenge which is why Microsoft reiterates the importance of a holistic security approach. 

3. Surge in human-operated ransomware attacks 

Since September 2022, human-operated ransomware attacks have surged by over 200%. 

Despite the increase in ransomware attacks, there is a silver lining: organisations with robust security postures have a strong chance of thwarting these attacks, with only 2% of attempted attacks successfully transitioning to a full-blown ransomware deployment. 

The surge in human-operated ransomware attacks serves as a reminder to remain adaptable. Maintaining a flexible and proactive approach is indispensable for countering evolving tactics and preserving the resilience of your digital defences. 

4. Skyrocketing business email compromise (BEC) attacks 

The frequency of BEC attacks soared to over 156,000 daily attempts. 

Common BEC attack patterns include: 

• Financial fraud: Attackers simulate domains to deceive users into thinking they're engaging with legitimate third parties. Some compromise third-party entities to request money transfers within genuine email threads, making these attacks challenging to identify. 

• Internal phishing: After obtaining compromised identities through AiTM (Adversary in the Middle) attacks, threat actors conduct extensive internal phishing campaigns. These emails appear to come from genuine internal senders, making them difficult to detect—increasing the likelihood of recipients falling for the scam. 

• Massive spam mailing: Perpetrators employ a denial-of-service strategy by subscribing victims to multiple email lists, forums, and newsletters, resulting in an overwhelming influx of emails. This tactic distracts and frustrates victims, making them less likely to notice critical warning or authentication messages in their inundated inboxes. 

The success of these attacks is largely due to increased focus on cloud-based infrastructure, exploiting trusted business relationships, and threat actors developing more specialised skills. Microsoft’s Digital Crimes Unit (DCU) believes increased intelligence sharing across the public and private sectors will help enable a more effective response against the threat actors behind these attacks. 

5. MFA fatigue and password attacks on the rise 

Microsoft's telemetry reveals a tenfold increase in attempted password attacks over the past year. 

Attempted attacks increased from approximately 3 billion per month in 2022 to 30 billion in 2023. This translates to an average of 4,000 password attacks per second. 

The prevalence of password attacks is primarily due to inadequate security measures, including neglecting to implement Multi-Factor Authentication (MFA).  

While not implementing MFA puts users at greater risk of brute force attacks, phishing and credential stuffing, attackers have adapted their tactics to circumvent this security control. Known as MFA fatigue or MFA bombing, attackers send MFA or passwordless sign-in prompts to deceive potential victims into approving these requests. By doing so attackers gain full access to users’ accounts, enabling attackers to manipulate MFA settings and sign in at will. 

In response, Microsoft introduced safeguards against abnormal passwordless sign-ins for all customers. They strongly recommend customers thoroughly review and validate all MFA and passwordless sign-in prompts before approving.  

6. Token replay remains a prevalent threat 

Token replay attacks have doubled in the past year, averaging 11 detections per 100,000 active users in Azure Active Directory Identity Protection. While constituting less than 3% of all identity compromises, the steady increase in detections illustrates that cybercriminals view token replay as an effective attack method. 

Organisations need to do more than just rely on MFA to mitigate against this type of attack. Microsoft recommends:   

• Implementing risk-based and token protection policies in Conditional Access.  

• Monitoring systems for signs of token replay. Use non-phishable credentials that bind the token to the legitimate user’s device, such as Windows Hello for Business and FIDO keys. 

Strengthening digital defences  

Microsoft's Digital Defense Report 2023 arms organisations with insights and serves as a resource for businesses aiming to fortify their cyber security posture. By understanding these key insights and trends, organisations can take proactive steps to enhance their digital defence strategies and mitigate potential cyber threats. 

You can access the full report here.