Microsoft logs 600 million identity attacks per day as threat actors collaborate more
A shift to passwordless authentication and greater reliance on AI could help stem the flow of attacks as threat actors arm themselves with better techniques and tools


Microsoft has said it tracked more than 600 million identity attacks across its 2024 fiscal year, as the firm warns cybercriminals are becoming more collaborative and focused in their attacks.
In its Digital Defense Report 2024, Microsoft noted the rise of identity-based cyber attacks as firms migrate to the cloud and stated that Microsoft Entra data showed 7,000 password attacks were blocked per second in the past year alone, alongside the 600 million figure.
Even as organizations adopt multi-factor authentication (MFA) – 41% of Microsoft’s enterprise customers now use the approach – threat actors are bypassing MFA through attacks on infrastructure and methods like adversary in the middle (AiTM) attacks.
But more than 99% of identity attacks are still password attacks, a definition that includes brute force attacks using stolen passwords and phishing attacks. These are being empowered by new social engineering campaigns, Microsoft noted, emphasizing the need for organizations to switch to passwordless authentication rather than relying on MFA.
While identity-based attacks have risen, the number of successful ransomware attacks across the period fell significantly. Though Microsoft recorded a 2.75x increase in attempted ransomware attacks over the period, driven by groups like Akira, Lockbit, and Play, successful encryption of victim data fell by 3x.
As attack methodology evolves, threat actors are also becoming harder to predict and neatly categorize by motivation.
Cyber attacks tracked by Microsoft increasingly included hybrid warfare, cyber attacks alongside conventional attacks made as part of ongoing conflicts around the world. This included attacks on operational technology (OT) and data compromise on government targets.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Researchers said the past year had also seen state-sponsored threat actors collaborate more closely with cybercriminals than ever before, making the job of determining the motivation for specific attacks harder.
For example, Russia-backed groups have been observed using commodity malware – malicious software that’s freely available for purchase on the dark web – in attacks and outsourcing intelligence-gathering operations to criminal groups.
North Korea-backed groups have long been suspected of providing their ill-gotten gains directly to the state. Microsoft cited UN claims that North Korean groups have stolen a collective $3 billion in cryptocurrency since 2017 to fund the state’s nuclear program, as reported by Reuters.
Microsoft noted that the North Korean group Moonstone Sleet, first identified in May 2024 and only the fourth significant North Korean group tracked by the firm, has also developed its own variant of ransomware dubbed FakePenny, used against targets in aerospace and defense.
While the IT sector accounted for nearly a quarter of all victims (24%), education and research came a close second at 21%. The report’s authors explained that educational institutions can be valuable sources of intelligence, though are largely used as “testing grounds” for new attack methods.
It cited the example of using QR codes as a point of compromise for business email compromise (BEC) attacks, which threat actors began to leverage against victims in the sector in August 2023, ahead of it becoming a popular method against other organizations.
The exception to this rule was Russian groups, which targeted 33% of all attacks across the period against government targets and 15% against think tanks as their activity continued to closely follow the war in Ukraine.
The data was collected between July 2023 and June 2024, Microsoft’s FY24. The firm said it tracked more than 78 trillion security signals per day across the period, up from 65 trillion in 2023 through a combination of billions of Windows endpoints and data from Microsoft Entra, which allow it to build a worldwide security picture.
Internal changes at Microsoft and the potential for AI security
In the overview of the report Igor Tsyganskiy, CISO at Microsoft, noted that he came into his role right before the threat group Midnight Blizzard launched an attack on Microsoft, which he pointed to as motivation to improve the firm’s agility to any future attacks by state-sponsored threat actors.
“To protect Microsoft, our partners, and customers from future attacks, we dramatically grew our teams dedicated to monitoring of and responding to threats,” wrote Tsyganskiy.
Tsyganskiy also created an Office of the CISO, containing multiple Deputy CISOs who each work with select departments and product groups within Microsoft.
In the past few years, Microsoft has put huge investments into AI for security, for use in generative AI tools like Copilot for Security but also for internal security models that protect the firm itself.
RELATED WHITEPAPER
In the report, researchers noted that small language models like Phi-3 could be used to sift through corporate data and flag suspicious activity. They also expressed optimism in AI’s potential to identify so-called ‘hands-on-keyboard’ attacks, in which hackers manually infiltrate enterprise systems using compromised identities to camouflage malicious activity.
AI could also be used to produce security reports quicker, converge data from multiple third-party sources to assist cyber researchers or organize unstructured data from previous cybersecurity incidents to help inform new decision-making.
Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.
In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.
-
Security experts issue warning over the rise of 'gray bot' AI web scrapers
News While not malicious, the bots can overwhelm web applications in a way similar to bad actors
By Jane McCallion Published
-
Does speech recognition have a future in business tech?
Once a simple tool for dictation, speech recognition is being revolutionized by AI to improve customer experiences and drive inclusivity in the workforce
By Jonathan Weinberg Published
-
So long, Defender VPN: Microsoft is scrapping the free-to-use privacy tool over low uptake
News Defender VPN, Microsoft's free virtual private network, is set for the scrapheap, so you might want to think about alternative services.
By Nicole Kobie Published
-
Hackers are on a huge Microsoft 365 password spraying spree – here’s what you need to know
News A botnet made up of 130,000 compromised devices has been conducting a huge password spraying campaign targeting Microsoft 365 accounts.
By Solomon Klappholz Published
-
Everything you need to know about the Microsoft Power Pages vulnerability
News A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
By Solomon Klappholz Published
-
Microsoft is increasing payouts for its Copilot bug bounty program
News Microsoft has expanded the bug bounty program for its Copilot lineup, boosting payouts and adding coverage of WhatsApp and Telegram tools.
By Nicole Kobie Published
-
Hackers are using this new phishing technique to bypass MFA
News Microsoft has warned that a threat group known as Storm-2372 has altered its tactics using a specific ‘device code phishing’ technique to bypass MFA and steal access tokens.
By Solomon Klappholz Published
-
A new phishing campaign is exploiting Microsoft’s legacy ADFS identity solution to steal credentials and bypass MFA
News Researchers at Abnormal Security have warned of a new phishing campaign targeting Microsoft's Active Directory Federation Services (ADFS) secure access system.
By Solomon Klappholz Published
-
Hackers are using Microsoft Teams to conduct “email bombing” attacks
News Experts told ITPro that tactics like this are on the rise, and employees must be trained effectively
By George Fitzmaurice Published
-
Microsoft files suit against threat actors abusing AI services
News Cyber criminals are accused of using stolen credentials for an illegal hacking as a service operation
By Solomon Klappholz Published