Microsoft’s 2025 Cyberdefense Report: The New Rules of Engagement
▼ Summary
– AI is being used by adversaries to enhance attacks through automation, vulnerability discovery, and evasion of security controls.
– Identity-based attacks, primarily using stolen passwords and brute-force methods, have surged by 32% and are the leading cause of breaches.
– Ransomware incidents increasingly exploit hybrid cloud and on-premises systems, with a significant rise in destructive actions in cloud environments.
– State-backed actors from countries like China and Russia are intensifying espionage and influence campaigns, employing AI for precision and scale.
– Attack methods are shifting from phishing to social engineering via collaboration tools and help desk scams, while legitimate tools are misused to maintain access.
A new cybersecurity report from Microsoft reveals that artificial intelligence is fundamentally reshaping the digital battlefield, empowering attackers to refine their methods, automate complex operations, and overwhelm traditional security measures. The past year has seen a troubling convergence where criminal syndicates and state-sponsored groups have blurred the lines between cybercrime, espionage, and outright disruption, targeting both public institutions and private enterprises with equal vigor.
Identity has become the primary battleground for modern cyberattacks. The vast majority of security breaches now start with compromised credentials, with over 97% of identity-focused attacks employing password spray or brute-force techniques. While multi-factor authentication (MFA) effectively blocks most unauthorized access attempts, significant coverage gaps persist in many organizations. These vulnerabilities are especially pronounced for service accounts and non-human identities, which often possess elevated system privileges but receive less security oversight than standard user accounts.
During the first half of 2025, identity-based attacks surged by 32%. The research and academic sector experienced the most severe impact, a consequence of their typically open network architectures and decentralized IT management. Attackers are increasingly setting their sights on workload identities, automated scripts, and cloud services, recognizing that these assets frequently hold powerful access rights while remaining inadequately protected.
Criminal groups are shifting their focus from breaking through digital walls to simply walking through the front door with stolen keys. Information-stealing malware like Lumma and RedLine harvests vast quantities of login credentials, which are then sold on dark web marketplaces. Access brokers specialize in reselling this validated access to ransomware and data extortion syndicates. Intelligence firm Intel 471 identified 368 active access brokers operating over the past year, with victims spanning more than 130 countries.
Ransomware actors are finding new leverage by exploiting hybrid IT environments. Attackers are capitalizing on security exposure that spans both cloud infrastructure and complex supply chains. Approximately one-third of all security incidents originated from neglected vulnerabilities, including unpatched web assets, improperly exposed remote services, and misconfigured perimeter defenses. Close to 18% of attacks began by targeting vulnerable web applications, while another 12% involved the compromise of remote access services.
Security researchers documented an alarming 87% increase in destructive actions within cloud environments, including mass data deletion and ransomware deployment. Hybrid operations, which involve attackers moving between cloud and on-premises systems, now constitute more than 40% of all ransomware incidents, a dramatic increase from less than 5% just two years ago. Attackers exploit configuration errors and weak access controls to pivot seamlessly across different parts of an organization’s digital infrastructure.
Ransomware continues to represent the most frequent and financially damaging threat facing organizations. More than half of all attacks with discernible motives were driven by financial gain, while espionage accounted for only a small fraction of incidents.
Attack methodologies are evolving as well. Threat operators are relying less on traditional phishing emails and turning toward sophisticated social engineering. Voice-based “help desk” scams and impersonation attacks conducted through collaboration platforms like Microsoft Teams have become common initial entry vectors. To maintain persistence and avoid detection, attackers increasingly abuse legitimate remote monitoring and management tools that often blend into normal network traffic.
Nation-state actors are increasingly harnessing AI to supercharge their cyber operations. Adversarial groups are using AI to craft convincing phishing messages, identify system vulnerabilities, and dynamically modify malware behavior. These AI-powered tools significantly reduce the manual effort required to execute attacks, making large-scale offensive campaigns more feasible and efficient.
Simultaneously, AI systems themselves are emerging as attractive targets. Malicious actors employ techniques like prompt injection and training data manipulation to alter model outputs or extract sensitive information. As organizations rapidly adopt AI tools into their workflows, many are overlooking the new attack surfaces these intelligent systems introduce.
State-backed cyber groups continue to escalate their activities globally. China, Iran, Russia, and North Korea remain particularly active, conducting campaigns focused on intelligence gathering, influence operations, and critical infrastructure disruption. The past year witnessed intensified targeting of communications networks, research institutions, and academic organizations, sectors prized for their intellectual property and international connections.
Nation-states are deploying AI not only to scale their operations but also to improve their precision. Influence campaigns now increasingly incorporate synthetic media and deepfake technology to manipulate public narratives in real-time. The report also notes growing collaboration between government agencies and private cyber actors, a development that complicates attribution and complicates defensive responses.
The United States accounted for nearly a quarter of all observed cyber incidents in early 2025, followed by the United Kingdom, Israel, and Germany. Government agencies and technology firms emerged as the most frequently targeted sectors, each representing approximately 17% of global attacks. Research institutions, academic organizations, and non-governmental groups followed closely behind.
These attack patterns demonstrate that adversaries consistently prioritize entities that manage sensitive information or operate essential services. Local government bodies, which often depend on aging legacy systems and maintain limited security teams, remain particularly exposed to these evolving threats.
(Source: HelpNet Security)
