Microsoft Digital Defense Report 2025
This year’s Microsoft Digital Defense Report (MDDR) showcases the scale and sophistication of today’s cyber threats, the impact of emerging technologies on those threats, and the strategies that leaders, governments, and defenders can use to defend against them.
Share
Our unique vantage point
Microsoft’s global presence—spanning billions of users, millions of organizations, and a vast network of partners—provides us with an unparalleled perspective on the cybersecurity threat landscape.
Top recommendations from MDDR 2025
Based on the insights in our 2025 report, we share expert recommendations to help organizations and governments proactively address today’s evolving cyber risks. Now is the time to take action.
Invest in people, not just tools
Continuously upskill your workforce and embed security in performance reviews. Culture and readiness—not just technology—are critical to an organization’s defenses and its resilience.
Build in resilience
Assume that breaches are inevitable and embed resilience into your infrastructure. To anticipate and prepare for disruptions, track metrics like multifactor authentication coverage, patch latency, and incident response time.
Understand risks and benefits of AI
As adversaries move with the speed of AI, so must defenders. Adjust your risk planning and threat models and apply AI to strengthen your defensive tactics, such as threat and gap analytics, detection validation, and automatic remediation.
Transition to quantum safety
Prepare for post-quantum cryptography by inventorying your encryption use and creating a plan to upgrade to modern standards as they evolve.
Defend your perimeter
About a third of attackers use simple methods to break in, often through trusted partners in your supply chain or online services. Review all possible entry and access points and fix weaknesses.
Collaborate across sectors
Public, private, nonprofit and academic cooperation is critical to manage cyber threats and emerging tech like AI. Develop joint policies, protocols, and initiatives, and share intelligence.
Cyber threats: Worldwide customer impact
Most cyberattacks in 2025 were concentrated in particular countries. The United States (US), the United Kingdom (UK), Israel, and Germany were the leading targets of cyberattacks. Explore this interactive map to see how the most impacted countries compare to others in their region when it comes to cyber threats.
Source: Microsoft Threat Intelligence
This map pulls from data on how frequently customers are targeted by malicious activity in each country. The most impacted countries are compared to other countries in their region, both as a percentage of regional activity and a rank of regional activity.
MDDR 2025 Report
Overview
Threat landscape overview
Over the past year, threat actors quickly developed new techniques to circumvent cyber defenses, from AI-automated phishing to multi-stage attack chains. At the same time, most threats targeted known security gaps, such as web assets and remote services, with threat actors exploiting these vulnerabilities at a faster pace than ever before.
Attacks by sector
Most cyberattacks targeted industries with vast amounts of sensitive data, including government agencies and research and academia. Below are the sectors most impacted by cyber threats in 2025.
Attack motivations
Attacks are by and large financially motivated: extortion, ransomware, and data theft are primary attack motivations. Espionage accounts for only 4% of attacks. Below are the most common motivations behind cyberattacks, when identifiable.
MDDR 2025 Report
Cybercrime
Cybercrime economy
The cybercrime economy is an increasingly specialized and intricate ecosystem made up of access brokers, ransomware operators, and data extortion groups. As financial incentives increase across the cybercrime-as-a-service (CaaS) model and international borders obscure criminal networks, it can be difficult for governments and organizations to disrupt the cybercrime economy.
$10,000 vs $100,000
A security researcher may earn $10,000 for responsibly disclosing a vulnerability to a bug bounty program but may earn over $100,000 by selling the same exploit to a cyber mercenary.
97%
97% of identity attacks were password spray attacks. Even as more sophisticated tactics evolve, most identity attackers exploit the common problem of weak and overused passwords.
Lumma Stealer
Lumma Stealer was the most prevalent infostealer observed between October 2024 and October 2025. A sophisticated malware-as-a-service (MaaS) platform, Lumma Stealer can retrieve sensitive data from various browsers and applications, such as cryptocurrency wallets. This data is then sold to access brokers through dark web forums and Telegram channels. Ultimately, other cyber criminals like ransomware operators can use the data to access target networks.
In mid-2025, Microsoft’s Digital Crimes Unit, working with the U.S. Department of Justice, Europol, and Japan’s Cybercrime Control Center, carried out a landmark disruption operation against Lumma Stealer. Over 2,300 malicious domains were seized or blocked, cutting off Lumma’s infrastructure and redirecting infected devices away from criminal control.
Enable cross-border legal operations
Policymakers should promote harmonized cross-border legal frameworks, tools, and tactics to enable faster cybercrime disruptions.
MDDR 2025 Report
AI
AI: A tool, threat, and vulnerability
Both adversaries and defenders are using AI to make their operations more effective and efficient, rendering the technology a cybersecurity risk and tool at once.
AI and defenders
AI in threat analysis
AI models can scan vast amounts of threat intelligence data to detect early warning signs, helping defenders disrupt attacks before they escalate.
AI for identifying gaps
AI can compare known threats with existing protections, revealing vulnerabilities and directing security resources.
Automated response
AI agents can act within seconds of a suspected threat, suspending accounts, initiating password resets, and notifying administrators.
AI and adversaries
AI as a vulnerability
Attackers are compromising improperly secured AI workloads through prompt-based attacks and supply chain exploits, tricking models into executing unauthorized actions.
Deepfake fraud
Synthetic media–such as voice cloning and deepfake videos–target multinational companies and government organizations, gaining access to sensitive information and costing millions.
Automated attacks
AI agents could allow threat actors to automate the entire attack lifecycle through chain reconnaissance, vulnerability scanning, and exploitation at scale.
Invest in AI research and development
Governments should invest in research and development projects that specifically apply AI to cybersecurity technology.
Storm-2139: A tale of AI abuse
In July 2024, Microsoft uncovered a global network exploiting stolen API keys to bypass AI safety controls and generate abusive AI-generated images. Using content provenance tools and open-source intelligence, the DCU traced the operation and referred the criminals to governments.
MDDR 2025 Report
Nation-State
Nation-state threat actors
In 2025, nation-state threat actors evolved their cyber and influence operations with more advanced, targeted, and scalable tactics. They rapidly adopted AI to produce automatic and largescale influence campaigns.
Nation-state actors remain focused on intelligence collection and public perception manipulation, shaping conflict narratives and flooding the information space with synthetic media to desensitize audiences and exhaust detection systems.
Sectors most targeted by nation-state actors:
IT, research and academia, government, think tanks, and non-governmental organizations.
Observed nation-state activity count per country
Certain countries face disproportionate levels of nation-state activity. This is a regional breakdown of countries that receive the most frequent adversary attacks.
Signal red lines and impose diverse consequences for nation-state cyberattacks
States should make clear that malicious nation-state cyber activity will result in increasingly severe consequences. These responses can include a range of options, from economic measures and diplomatic sanctions to targeted declassification and public shaming.
Detecting North Korean foreign IT workers operating as nation-state actors
North Korea places thousands of remote workers at unwitting companies every year to generate revenue and gain access to sensitive intellectual property. Workers are branching into new sectors and job types. Microsoft tracks this remote work activity and provides guidance on how to monitor and remediate this problem.
MDDR 2025 Report
Additional report topics
Take a deeper dive into the 2025 Microsoft Digital Defense Report.
Navigate to specific sections of the report below.