Microsoft’s latest Digital Defense Report 2025 reveals that the majority of cyberattacks observed worldwide are driven by financial motives rather than espionage or sabotage. The findings highlight how organized criminal groups are exploiting vulnerabilities in both public and private sectors to generate profit, often through ransomware, credential theft, and data extortion.
According to Microsoft, financially motivated activity accounts for nearly three-quarters of all attacks it analyzed between June 2023 and June 2024. The report draws from data gathered across Microsoft’s global threat intelligence network, which monitors more than 78 trillion security signals daily.
The report shows that financial cybercrime continues to surpass state-sponsored operations in both scale and frequency. Ransomware and information theft remain the leading attack methods. These operations often begin with phishing campaigns or the exploitation of unpatched software vulnerabilities before progressing to the theft or encryption of valuable data.
Microsoft observed that attackers have shifted toward shorter, more targeted ransomware campaigns designed to pressure victims into paying quickly. Criminal groups are also increasingly adopting “ransomware-as-a-service” models, which allow less technically skilled actors to purchase access to ready-made attack tools.
The report emphasizes that financial crime networks are now structured more like traditional businesses. They have hierarchies, supply chains, and customer support-style communication systems to coordinate payments and negotiations.
Rise in credential theft and social engineering
Beyond ransomware, credential theft and social engineering represent a growing share of financially motivated attacks. Microsoft notes that identity-based threats have become a critical weak point across organizations. Attackers frequently exploit human error by sending convincing phishing messages, using fake login portals, or launching voice-based scams designed to steal credentials.
Once attackers gain access to valid accounts, they can bypass security tools and move laterally through networks undetected. The report warns that this trend continues to expand despite increased adoption of multi-factor authentication, suggesting that criminals are evolving their techniques faster than many organizations can adapt.
Microsoft also observed an increase in “data brokers” within the cybercrime ecosystem. These actors specialize in selling stolen credentials and access to compromised networks, providing an entry point for ransomware operators and fraud groups.
State-sponsored activity continues, but focuses on disruption
While financially motivated cybercrime dominates, state-sponsored attacks remain a serious concern. According to Microsoft’s findings, espionage and information operations are becoming more sophisticated, particularly those linked to Russia, China, Iran, and North Korea.
These campaigns often target government agencies, energy infrastructure, and telecommunications networks. Microsoft reports that some operations aim to gather intelligence, while others are intended to cause disruption or confusion, particularly during geopolitical conflicts or elections.
The company’s analysts note that cyber operations connected to geopolitical tension are increasingly tied to online disinformation efforts, which aim to manipulate public perception through coordinated campaigns on social media.
Artificial intelligence in cyber operations
The 2025 report underscores how artificial intelligence is changing both offensive and defensive cyber strategies. Criminals are using AI tools to craft more persuasive phishing emails, automate credential theft, and develop deepfake content that enhances social engineering tactics.
At the same time, defenders are deploying AI-driven analytics to detect anomalies faster and predict potential breaches. Microsoft highlights that AI can help security teams process massive amounts of data in real time, improving incident response and reducing detection delays.
However, the report also warns that reliance on AI must be balanced with human oversight. Automated systems alone cannot always distinguish between legitimate and malicious activity, especially when attackers deliberately mimic normal user behavior.
Microsoft’s recommendations for defense
To combat the increasing scale and sophistication of financially motivated attacks, Microsoft advises organizations to focus on identity protection, vulnerability management, and employee awareness. The company recommends implementing multi-factor authentication across all accounts, patching systems promptly, and reducing administrative privileges to limit exposure.
Training staff to recognize phishing attempts remains one of the most effective defenses. Microsoft also suggests adopting a “zero trust” security model, which assumes that every access request could be malicious until verified.
In addition, the report stresses the need for global cooperation between governments, private companies, and cybersecurity researchers. Collaboration allows for faster information sharing and coordinated responses to large-scale cybercrime operations.
The growing cost of cybercrime
Microsoft estimates that the economic cost of cybercrime will continue to rise sharply in the coming years, driven by the increasing professionalism of criminal networks and the expansion of digital infrastructure. The company notes that while state-backed threats attract public attention, financially motivated groups cause the most widespread harm to individuals and businesses alike.
The report concludes that cybersecurity resilience depends on constant vigilance, investment in prevention, and the development of adaptive defense systems. With attackers refining their methods daily, organizations must treat cybersecurity not as a project but as an ongoing process that evolves with technology and human behavior.