Keypoints
- Microsoft observed over 600 million cyberattacks per day against its customers in 2024.
- Ransomware incidents rose 2.75x year-over-year, although fewer attacks reached the encryption stage.
- Tech support scams surged by 400%, exceeding 100,000 incidents per day in 2024.
- Phishing increased by 58% and often abused legitimate web services to lure victims.
- DDoS activity peaked around 4,500 daily attacks in June 2024, with more covert application-layer and application loop attacks emerging.
- Nation-state actors (e.g., Russia, Iran, North Korea) are collaborating with criminal gangs and leveraging ransomware and espionage tools.
- Identity attacks remain dominated by password-based methods; attackers increasingly use SIM swapping, MFA fatigue, token theft, and consent phishing to bypass protections.
MITRE Techniques
- [T1566] Phishing – Used to steal credentials via impersonation and social engineering (‘Attackers use sophisticated impersonation techniques to deceive users into disclosing credentials.’)
- [T1486] Data Encrypted for Impact / Ransomware – Employed in hybrid attacks that combine cloud and on-premises compromises, deploying variants like Qilin and RansomHub (‘Ransomware attacks are increasingly sophisticated, with groups like Octo Tempest employing hybrid tactics.’)
- [T1003] Credential Dumping – Post-authentication techniques and token theft undermine accounts after legitimate access is obtained (‘Post-authentication threats like token theft and consent phishing jeopardize accounts after legitimate access is gained.’)
- [T1498] Network Denial of Service – DDoS campaigns surged and evolved to target application layers and new covert vectors (‘DDoS attacks are surging, with new application-layer threats emerging.’)
Indicators of Compromise
- [Malware / Ransomware Variants] referenced in attack cases – Qilin, RansomHub, FakePenny (used in targeted ransomware campaigns), and other named variants.
- [Threat Actor Names] observed in intelligence – Octo Tempest (aka Scattered Spider), nation-state groups linked to Russia, Iran, North Korea, and China — cited for collaboration and targeted campaigns.
- [Impersonation / Account Abuse] fraud infrastructure examples – impersonating domains and suspended abusive accounts (Microsoft suspended over 64 million abusive accounts), plus references to rapid takedown behavior and short-lived malicious infrastructure.
The Microsoft Digital Defense Report 2024 paints a stark portrait of a more complex and active global cyber threat environment. Microsoft reports its customers faced more than 600 million attacks every day, a mixture of phishing, identity-based intrusions, ransomware, DDoS campaigns, and large-scale fraud. Attackers are growing more organized and collaborative: criminal gangs increasingly share access, tools, and techniques with nation-state actors, amplifying both espionage and financially motivated operations. In several documented instances, Russian-affiliated groups outsourced espionage to criminal networks that targeted Ukrainian military systems, Iranian actors leveraged ransomware and stolen data to monetize access, and North Korean actors deployed a bespoke ransomware variant called FakePenny against aerospace and defense organizations.
Ransomware remains a major concern, growing 2.75 times year-over-year even though a smaller proportion of incidents reached actual encryption in 2024. Threat groups such as Octo Tempest (also known as Scattered Spider) exemplify modern tactics: hybrid campaigns that blend social engineering, SIM swapping, adversary-in-the-middle (AiTM) techniques, and lateral movement across both cloud and on-premises environments, before delivering payloads like Qilin and RansomHub. Tech support scams and related fraud exploded as well, with tech scams increasing by 400% to over 100,000 incidents per day, while total fraud losses approached $1 trillion globally in 2023. Phishing climbed roughly 58%, with attackers increasingly leveraging legitimate web services and new carriers like QR codes to obscure malicious links.
Identity attacks continue to dominate, driven largely by predictable human behavior: reused or weak passwords, breach replay, and credential stuffing. Over 99% of identity attacks exploit passwords, yet adversaries are also evolving to defeat stronger controls. Tactics such as SIM swapping, MFA fatigue, token theft, and consent phishing are being used to bypass or undermine multi-factor authentication. Post-authentication compromises and stealthy infrastructure takeovers — often linked to nation-state campaigns — further complicate defenses. In response, the report stresses enforcing MFA, applying zero trust principles, and elevating identity protection as a primary security boundary.
DDoS operations have intensified in both volume and sophistication. Beginning in mid-March 2024 and peaking near 4,500 daily incidents in June, attacks increasingly target the application layer and exploit protocol weaknesses. Emerging “application loop” attacks manipulate protocols like DNS and NTP to force servers into endless error exchanges, crippling systems with minimal traffic. These low-volume, high-impact vectors are harder to detect and mitigate than traditional volumetric floods. Sectors such as online gaming in India, along with finance and technology globally, have seen notable targeting, often driven by hacktivist activity.
AI is appearing on both sides of the equation. Nation-states have experimented with AI-generated imagery and audio for influence campaigns, while cybercriminals are also testing generative capabilities to scale and refine social engineering. Conversely, defenders are deploying AI and machine learning to accelerate detection, reduce alert fatigue, and identify anomalous transaction patterns that signal fraud. The report urges organizations to adopt integrated, threat-informed defenses that combine continuous visibility, data classification and labeling, data loss prevention, and dynamic policies that adapt to user risk. A strong security posture relies on consolidated telemetry across cloud, on-premises, and identity assets and on leadership-driven accountability to prioritize security without fostering a blame culture.
Microsoft’s Secure Future Initiative and the concept of threat-informed defense are highlighted as strategic responses, encouraging organizations to model attacker behavior, map likely attack paths, and focus remediation on the most critical assets. Practical recommendations include limiting public exposure of applications, combining network DDoS protections with web application firewalls, conducting regular DDoS simulations, enforcing robust identity controls, and using AI thoughtfully for both governance and defense. The report also emphasizes industry collaboration and law enforcement partnerships to disrupt fraud and abusive infrastructure; Microsoft cites suspending more than 64 million abusive accounts and supporting major enforcement actions.
To help operationalize these recommendations, SOCRadar’s capabilities are presented as complementary: Dark Web Monitoring to track underground chatter and leaked data, Threat Actor Intelligence for behavioral analysis, DoS Resilience to evaluate domain and subnet resistance to DoS, Digital Risk Protection for brand and impersonation monitoring, and Extended Threat Intelligence (XTI) for real-time insights into emerging campaigns. Together, these tools aim to give organizations earlier warnings and more context so they can enact targeted defenses.
In conclusion, the Microsoft Digital Defense Report 2024 makes clear that cyber threats are growing in scale, sophistication, and coordination, blending nation-state objectives with criminal profit motives and leveraging advances like generative AI. Organizations must respond with layered, threat-informed strategies that prioritize identity security, data governance, application resilience, and cross-sector collaboration to reduce risk and improve incident response readiness. Read more: https://socradar.io/an-overview-of-microsoft-digital-defense-report-2024/