Microsoft issues warning over “opportunistic” cyber criminals targeting big business

Cybersecurity concept image symbolizing third-party data breaches with give padlock symbols and one pictured in red, signifying a security breach.

(Image credit: Getty Images)

More than half of cyber attacks are now motivated by extortion and ransomware, according to Microsoft, with legacy security measures no longer enough to counter the threat.

In its sixth annual Digital Defense Report, the company said attackers sought to steal data, mostly for financial gain, in 80% of the cyber incidents its security teams investigated last year.

"That’s at least 52% of incidents fueled by financial gain, while attacks focused solely on espionage made up just 4%," said Amy Hogan-Burney, CVP for customer security and trust.

"Nation-state threats remain a serious and persistent threat, but most of the immediate attacks organizations face today come from opportunistic criminals looking to make a profit."

Critical public services are a main target, the study noted. Hospitals and local governments, for example, store sensitive data and often have tight cybersecurity budgets with limited incident response capabilities.

Healthcare or other critical organizations, meanwhile, may feel greater pressure to pay a ransom because of the vital importance of their services.

Nation-state hackers are shaking up tactics

While the proportion of attacks by nation-state actors remains low, the number is growing.

China is continuing its broad push across industries to conduct espionage and steal sensitive data, and increasingly attacking non-governmental organizations (NGOs), using covert networks and vulnerable internet-facing devices to gain entry and avoid detection.

Hackers backed by the regime have also become faster at operationalizing newly disclosed vulnerabilities, Microsoft said.

Iran, meanwhile, is going after a wider range of targets than ever before, from the Middle East to North America, including recent attacks on shipping and logistics firms in Europe and the Persian Gulf that gave ongoing access to sensitive commercial data.

Notably, Russia has expanded its range beyond Ukraine, targeting small businesses in countries supporting Ukraine, perhaps viewing them as being easier to access than larger organizations.

North Korean IT workers are a serious problem

Microsoft warned that North Korea remains focused on revenue generation and espionage.

A new tactic involves thousands of state-affiliated North Korean remote IT workers applying for jobs with companies around the world, sending their salaries back to the government as remittances.

When discovered, Microsoft said some of these workers have turned to extortion.

"The cyber threats posed by nation-states are becoming more expansive and unpredictable. In addition, the shift by at least some nation-state actors to further leveraging the cybercriminal ecosystem will make attribution even more complicated," warned Hogan-Burney.

"This underscores the need for organizations to stay abreast of the threats to their industries and work with both industry peers and governments to confront the threats posed by nation-state actors."

AI tools are a cyber crime enabler

Advances in automation and readily available off-the-shelf tools have enabled cyber criminals — even those with limited technical expertise — to expand their operations significantly.

The use of AI, meanwhile, has allowed cyber criminals to accelerate malware development and create more realistic synthetic content, improving the efficiency of activities such as phishing and ransomware attacks.

More than 97% of identity attacks are password attacks, with the number surging by 32% in the first half of 2025 alone, mostly through large-scale password guessing via credential leaks.

"However, credential leaks aren’t the only place where attackers can obtain credentials. This year, we saw a surge in the use of infostealer malware by cyber criminals. Infostealers can secretly gather credentials and information about your online accounts, like browser session tokens, at scale," said Hogan-Burney.

"Cyber criminals can then buy this stolen information on cyber crime forums, making it easy for anyone to access accounts for purposes such as the delivery of ransomware."

The report calls on governments to do more to help by building frameworks that signal credible and proportionate consequences for malicious activity that violates international rules.

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.