Microsoft logs 600 million identity attacks per day as threat actors collaborate more

Microsoft has said it tracked more than 600 million identity attacks across its 2024 fiscal year, as the firm warns cybercriminals are becoming more collaborative and focused in their attacks.

In its Digital Defense Report 2024, Microsoft noted the rise of identity-based cyber attacks as firms migrate to the cloud and stated that Microsoft Entra data showed 7,000 password attacks were blocked per second in the past year alone, alongside the 600 million figure.

Even as organizations adopt multi-factor authentication (MFA) – 41% of Microsoft’s enterprise customers now use the approach – threat actors are bypassing MFA through attacks on infrastructure and methods like adversary in the middle (AiTM) attacks.

But more than 99% of identity attacks are still password attacks, a definition that includes brute force attacks using stolen passwords and phishing attacks. These are being empowered by new social engineering campaigns, Microsoft noted, emphasizing the need for organizations to switch to passwordless authentication rather than relying on MFA.

While identity-based attacks have risen, the number of successful ransomware attacks across the period fell significantly. Though Microsoft recorded a 2.75x increase in attempted ransomware attacks over the period, driven by groups like Akira, Lockbit, and Play, successful encryption of victim data fell by 3x.

As attack methodology evolves, threat actors are also becoming harder to predict and neatly categorize by motivation.

Cyber attacks tracked by Microsoft increasingly included hybrid warfare, cyber attacks alongside conventional attacks made as part of ongoing conflicts around the world. This included attacks on operational technology (OT) and data compromise on government targets.

Researchers said the past year had also seen state-sponsored threat actors collaborate more closely with cybercriminals than ever before, making the job of determining the motivation for specific attacks harder.

For example, Russia-backed groups have been observed using commodity malware – malicious software that’s freely available for purchase on the dark web – in attacks and outsourcing intelligence-gathering operations to criminal groups.

North Korea-backed groups have long been suspected of providing their ill-gotten gains directly to the state. Microsoft cited UN claims that North Korean groups have stolen a collective $3 billion in cryptocurrency since 2017 to fund the state’s nuclear program, as reported by Reuters.

Microsoft noted that the North Korean group Moonstone Sleet, first identified in May 2024 and only the fourth significant North Korean group tracked by the firm, has also developed its own variant of ransomware dubbed FakePenny, used against targets in aerospace and defense.

While the IT sector accounted for nearly a quarter of all victims (24%), education and research came a close second at 21%. The report’s authors explained that educational institutions can be valuable sources of intelligence, though are largely used as “testing grounds” for new attack methods.

It cited the example of using QR codes as a point of compromise for business email compromise (BEC) attacks, which threat actors began to leverage against victims in the sector in August 2023, ahead of it becoming a popular method against other organizations.

The exception to this rule was Russian groups, which targeted 33% of all attacks across the period against government targets and 15% against think tanks as their activity continued to closely follow the war in Ukraine.

The data was collected between July 2023 and June 2024, Microsoft’s FY24. The firm said it tracked more than 78 trillion security signals per day across the period, up from 65 trillion in 2023 through a combination of billions of Windows endpoints and data from Microsoft Entra, which allow it to build a worldwide security picture.

Internal changes at Microsoft and the potential for AI security

In the overview of the report Igor Tsyganskiy, CISO at Microsoft, noted that he came into his role right before the threat group Midnight Blizzard launched an attack on Microsoft, which he pointed to as motivation to improve the firm’s agility to any future attacks by state-sponsored threat actors.

“To protect Microsoft, our partners, and customers from future attacks, we dramatically grew our teams dedicated to monitoring of and responding to threats,” wrote Tsyganskiy.

Tsyganskiy also created an Office of the CISO, containing multiple Deputy CISOs who each work with select departments and product groups within Microsoft.

In the past few years, Microsoft has put huge investments into AI for security, for use in generative AI tools like Copilot for Security but also for internal security models that protect the firm itself.

In the report, researchers noted that small language models like Phi-3 could be used to sift through corporate data and flag suspicious activity. They also expressed optimism in AI’s potential to identify so-called ‘hands-on-keyboard’ attacks, in which hackers manually infiltrate enterprise systems using compromised identities to camouflage malicious activity.

AI could also be used to produce security reports quicker, converge data from multiple third-party sources to assist cyber researchers or organize unstructured data from previous cybersecurity incidents to help inform new decision-making.