โWe needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.โ
โWe needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.โ
Request a Call-back.
First we need a few details.
Keep up to date with the experts
Get insights directly to your email inbox
Follow us on social
โWe needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.โ
Request a Call
First we need a few details.
The cyber security landscape has changed dramatically in 2024, with organisations facing new challenges every day. If this yearsโ latest Microsoft Digital Defence Report highlights anything, itโs that traditional boundaries between different types of threats no longer exist, and attacks have reached over 600 million per day.
โThe malign actors of the world are becoming better resourced and better prepared, with increasingly sophisticated tactics, techniques, and tools that challenge even the worldโs best cybersecurity defenders.โ – Microsoft Digital Defence Report 2024
For those that are looking for a high-level overview of this
yearsโ Digital Defence Report, keep reading for my key takeaways.
Perhaps the most significant development in today’s threat landscape is the growing collaboration between state-sponsored actors and cybercriminal groups.
โThis year, state-affiliated threat actors increasingly used criminal tools and tacticsโand even criminals themselvesโto advance their interests, blurring the lines between nation-state backed malign activity and cybercriminal activityโ – Microsoft Digital Defence Report 2024
This alliance has created a powerful combination of sophisticated nation-state capabilities with the agility and deniability of criminal enterprises.
North Korean threat actors exemplify this evolution, having orchestrated cryptocurrency heists totalling between $600 million and $1 billion in 2023 alone. These operations have reportedly funded over half of North Korea’s nuclear and missile programs, demonstrating how cybercrime now directly supports state objectives.
Russian threat actors have similarly transformed their approach, integrating commodity malware into their operations and apparently outsourcing certain cyberespionage activities to criminal groups. A notable example emerged between June-July 2023, when the FSB-attributed group Aqua Blizzard transferred access to 34 compromised Ukrainian devices to the cybercriminal group Storm-0593 (Invisimole).
Iranian threat actors have also joined this trend, shifting from purely destructive operations to financially motivated attacks. Their cyber-enabled influence operations now include monetary components, such as selling stolen data and offering removal services for compromised information.
โRansomware remains one of the most serious cybersecurity concerns.โ – Microsoft Digital Defence Report 2024
The ransomware landscape has grown significantly more sophisticated, with a 2.75x increase in human-operated ransomware encounters compared to the previous year. Modern ransomware attacks have evolved into hybrid operations, simultaneously targeting both on-premises and cloud assets.
These attacks are especially dangerous because they target unmanaged devices with high success rates. Over 90% of successful attacks used these devices to either gain initial access or encrypt data remotely. The main ransomware groups – Akira, Lockbit, Play, Blackcat, and Basta – have quickly adapted their methods, proving that even familiar attack techniques still work well despite increased cybersecurity awareness.
It’s also worth noting that after breaching an organisation via ransomware, threat actors often start by manipulating security systems. By disabling or interfering with these defenses, attackers gain additional time to deploy malicious tools, extract data for espionage or extortion, and possibly launch ransomware attacks. Microsoft has observed a high volume of attacks where antivirus systems are tampered with. In May 2024 alone, Microsoft Defender XDR identified over 176,000 incidents involving security setting tampering, affecting more than 5,600 organisations.
The scale of cyber-enabled fraud has reached staggering proportions, with global scam losses exceeding $1 trillion in 2023. Companies lost an average of 1.5% of their profits to fraud, while consumer losses reached $8.8 billion – a 30% increase from the previous year.
This surge in fraud activities has been accompanied by increasingly sophisticated tactics.
โOrganisations face a barrage of scams, such as payment and quick response (QR) code fraud, business email compromise (BEC), AiTM, video phishing, and investment scam techniques such as โpig butchering.โ – Microsoft Digital Defence Report 2024
The integration of deepfake technology for voice and video impersonation has added another layer of complexity to these fraudulent operations.
Letโs explore some of these TTPs below.
The New Age of Phishing and Social Engineering: The landscape of phishing and social engineering has undergone a radical transformation, becoming significantly more sophisticated and harder to detect. Traditional email-based phishing attacks remain prevalent, but they’ve evolved into highly targeted, multi-channel campaigns that combine various technologies and psychological manipulation techniques.
QR Code Phishing – A Rising Threat: One of the most notable emerging threats is the surge in QR code phishing, or “quishing.” Since the pandemic normalised QR code usage, threat actors have seized upon this trusted technology. Around mid-September 2023, Microsoft observed a significant spike in these attacks, which present unique challenges for security providers as the malicious content appears as an innocent image during mail flow. These QR codes typically redirect users to sophisticated phishing pages that often incorporate Adversary-in-the-Middle (AiTM) capabilities, allowing attackers to bypass traditional multi-factor authentication. While Microsoft’s defensive technologies managed to reduce these attacks by 94% between October 2023 and March 2024, threat actors quickly adapted, developing new variations including coloured barcodes and innovative delivery methods.
Business Email Compromise: Evolution of Techniques: Business Email Compromise (BEC) continues to be one of the most financially damaging threats, with attacks becoming increasingly sophisticated. Modern BEC attacks now frequently employ what security researchers call “low and slow” tactics, where attackers discreetly read only two to five emails daily and sparingly access cloud storage to avoid detection.
A concerning trend is the rise of conversation hijacking, where attackers compromise legitimate email accounts and inject themselves into existing email threads. By maintaining the sender’s display name but using a similar-looking domain, they can conduct highly convincing financially motivated scams.
The MFA Bypass Revolution: As organisations have widely adopted multi-factor authentication, threat actors have developed innovative ways to circumvent these protections. A recent worrying trend is the misuse of legitimate applications for malicious purposes. Threat actors have been observed abusing trusted tools such as PerfectData Software for mailbox exfiltration, Newsletter Software Supermailer for lateral phishing attacks, and eMClient for covert data theft.
The sophistication of these attacks extends to inbox rule manipulation through API/App usage, post-compromise device registration, and token theft operations, which have grown to approximately 39,000 incidents per day. These tools are harder to detect as malicious since they’re legitimate applications being used in ways that appear normal to most security systems.
โRegardless of the technique, social engineering remains a constant threat that ultimately cannot be fully mitigated via technology. Training and education, both at the helpdesk and user level, is central to preventing successful social engineering attacks.โ – Microsoft Digital Defence Report 2024
A big takeaway from this report is that modern social engineering attacks have become highly personalised, often leveraging local languages and targeting specific departments with customised themes. Letโs explore some of the key social engineering TTPs noted in the Microsoft Digital Defence Report, below:
Phishing on Teams and Skype: A rise in phishing through collaboration tools like Teams and Skype has been observed, with attackers using compromised tenants to send malicious links and requests for MFA credentials. Notably, in early 2024, the group “Midnight Blizzard” impersonated Microsoft Security, using phishing links to harvest credentials, and deploying QR codes to direct users to credential-harvesting sites.
SIM Swapping: With MFA adoption, attackers have turned to SIM swappingโconvincing mobile carriers to transfer a victimโs SIM to the attackerโs device, enabling interception of MFA codes. Deepfake technology adds another level of complexity, by enabling attackers to impersonate voices or images of trusted service teams, for even more convincing social engineering attacks.
Advanced AiTM Phishing and PhaaS Services: Microsoft reports a high volume of credential phishing, with AiTM (adversary-in-the-middle) phishing platforms like Caffeine (rebranded to ONNX) and Tycoon being among the most active. PhaaS (Phishing-as-a-Service) platforms automate phishing for criminals, offering customisable templates and domain flexibility to evade detection. Common attack vectors include HTML and PDF attachments with links to phishing pages, sometimes obscured through legitimate file-sharing services.
Itโs clear that malicious actors are increasingly using complex deception techniques to establish legitimacy and bypass traditional security controls โ highlighting how education at the user level is absolutely crucial.
โWe are at the start of what could become one of the most transformative technological eras in modern history. Much has been said and written about how AI can have a significant effect on every industry, but the impact it can have on how businesses secure their most important data and assets in the face of ever-increasing cybersecurity threats will be one of the most critical uses of this technology.โ – Microsoft Digital Defence Report
The integration of artificial intelligence into cyber attacks represents perhaps the most significant evolution in the threat landscape this year. What makes these threats remarkably concerning is their ability to scale traditionally manual operations while simultaneously making them more convincing and harder to detectโฆ
The traditional approach to targeting high-value individuals within organisations has been transformed by AI capabilities. Where threat actors once spent months researching their targets, AI now performs this task in minutes, analysing vast amounts of publicly available information to create detailed profiles of potential victims.
What makes this very dangerous is that AI doesn’t make the common mistakes that human attackers do. There are no spelling errors, no grammatical mistakes, and no obvious signs of social engineering that employees have been trained to spot. The communications are fluent, contextually appropriate, and often indistinguishable from legitimate business correspondence.
The sophistication of deepfake technology has reached a point where it poses a serious threat to traditional verification methods. Threat actors have developed capabilities that allow them to create real-time deepfake video and voice content for live interactions, making their impersonation attempts increasingly difficult to detect. They are now able to generate convincing social media profiles that impersonate known contacts with unprecedented accuracy.
More concerning still, these criminals can deploy AI bots that maintain seemingly authentic conversations with targets before human attackers take over for the final stages of their operations. Perhaps most alarming is their ability to produce evidence so convincing that even when victims suspect they’re being manipulated, they might comply with demands simply to avoid potential embarrassment if the supposed evidence were made public. This evolution in deepfake capabilities represents a significant shift in the social engineering landscape.
The landscape of nation-state attacks has evolved significantly, with major powers increasingly leveraging AI and sophisticated cyber techniques for influence operations. The integration of advanced technologies has transformed the way state actors conduct their campaigns, making them more convincing and harder to detect than ever before.
Chinese influence operations have notably shifted towards sophisticated AI-generated visual content. The threat actor Taizi Flood operates across 175 websites in 58 languages, creating compelling visual narratives designed to shape public opinion. Their operations have included generating fake imagery of natural disasters and protests to support specific geopolitical narratives.
Russian operators have focused heavily on audio manipulation, demonstrating particular success in election interference. A notable example occurred just before Slovakia’s 2023 election, where AI-generated audio of a pro-Western party leader discussing election rigging was strategically released. The sophistication of these operations has increased, with actors now creating complete fake documentaries featuring AI-generated voices of prominent figures.
Iranian operators, while initially slower to adopt AI technologies, have begun incorporating AI-generated content into their influence campaigns, markedly in operations targeting Israel. Their operations have included disrupting streaming services with AI-generated news anchors and creating multilingual threatening messages enhanced by AI technologies.
The Distributed Denial of Service (DDoS) landscape has undergone a significant transformation in 2024, with attacks becoming both more numerous and more sophisticated. Microsoft’s data reveals a staggering 1.25 million DDoS attacks mitigated in just the second half of the yearโa fourfold increase compared to the previous year.
Perhaps most concerning is the emergence of more stealthy, sophisticated application-layer attacks. Unlike traditional volumetric DDoS attacks, these new variants target specific vulnerabilities in web applications, making them harder to detect and mitigate. By June 2024, security teams were dealing with approximately 4,500 attacks per day, with a significant portion targeting medium-sized applications that often lack robust DDoS protection.
A worrying development is the emergence of “loop attacks,” a new vulnerability affecting application-layer protocols that rely on UDP. According to the Helmholtz Centre for Information Security, this threat could potentially impact 300,000 application servers worldwide. Unlike traditional DDoS attacks, loop attacks create an endless cycle of error messages between servers, leading to service degradation without the typical signs of a DDoS attack.
โThe loop attack is a stark reminder of the vulnerabilities that exist within our network protocols. It highlights the need for continuous vigilance and the development of robust security measures to protect against such sophisticated threats.โ – Microsoft Digital Defence Report
โThreat actors are now exploiting OT devices to do everything from accessing critical and operational networks, to enabling lateral movement, establishing a foothold in a supply chain, or disrupting the targetโs OT operations.โ – Microsoft Digital Defence Report
The targeting of operational technology has intensified significantly since late 2023. What makes this concerning is the fundamental insecurity of many OT systemsโdevices often running with default passwords, no passwords at all, or years-old unpatched vulnerabilities.
Internet-exposed OT equipment in water and wastewater systems (WWS) has become a prime target, with multiple nation-states backed actors, including the IRGC-affiliated CyberAv3ngers and pro-Russian hacktivists, launching coordinated attacks. These operations often serve dual purposes: disrupting critical infrastructure while simultaneously sending political messages.
The vulnerability of Industrial Control Systems (ICS) has become particularly apparent, with attacks targeting power management systems, building automation systems, electrical power monitoring systems, battery monitoring systems, and environmental control systems. What makes these attacks dangerous is their potential to cause physical damage beyond mere digital disruption. A successful attack on these systems could lead to equipment failure, environmental disasters, or even threats to human life.
โThreat actors prey on unaddressed technical debt, outdated security controls, and shadow IT… If there is a weak point in your system, threat actors are going to find it.โ – Microsoft Digital Defence Report
The sophistication of modern cyber-attacks has reached new heights, with threat actors demonstrating unprecedented levels of technical capability and operational persistence. One of the most concerning trends is threat actors’ increasing focus on exploiting technical debt within organisations. Rather than targeting well-protected core systems, attackers are seeking out forgotten or poorly maintained infrastructure, including legacy authentication protocols, abandoned development environments, and unmonitored cloud resources.
A new and particularly dangerous trend involves attacks targeting identity infrastructure itself. These sophisticated operations, previously associated mainly with nation-state actors, are now being adopted by criminal groups. What makes these attacks especially concerning is their difficulty to detect without careful configuration monitoring and advanced threat detection capabilities. In a typical scenario, attackers infiltrate the organisation’s infrastructure, make subtle changes to maintain persistence, steal credentials to impersonate non-human identities, temporarily elevate permissions to create new credentials, and return systems to their previous state to avoid detection.
The report also reveals a disturbing trend in the targeting of cloud assets, with attackers demonstrating increasingly sophisticated understanding of cloud architectures. Microsoft’s analysis found that only 2.6% of workload identity permissions were actually used, while 51% of workload identities were completely inactive – creating a vast attack surface for motivated threat actors.
As we analyse the trends from Microsoft’s comprehensive report, several concerning patterns emerge that are likely to shape the threat landscape in the coming months and years.
For me, there are two clear concerns moving into 2025.
AI: The democratisation of AI tools presents perhaps the most significant shift in the threat landscape. While current AI-enabled attacks are sophisticated, we’re only seeing the beginning of what’s possible. Threat actors are expected to leverage AI in increasingly creative ways, from automated vulnerability discovery to real-time attack adaptation based on defensive responses.
Sophisticated Human Operated Attacks : Crucially, human-operated attacks are becoming increasingly sophisticated, with attackers demonstrating patience and precision in their operations. The traditional “smash and grab” approach is being replaced by more methodical, long-term operations that might take months to execute but yield significantly greater rewards. Microsoft’s data suggests that the time from initial compromise to actual attack execution is shortening dramatically. In advanced human-operated ransomware attacks, the average time from initial alert to encryption event is now just 16 hours – a window that continues to shrinkโฆ
While technological defences continue to evolve, the human element remains both the greatest vulnerability and the strongest potential defence in cybersecurity.
The protection of identity has emerged as the new perimeter in cybersecurity. With traditional network boundaries becoming increasingly fluid, organisations must prioritise robust identity protection measures, including regular access reviews, strict privilege management, and continuous monitoring of identity-related activities. This must be coupled with evolved employee training that goes beyond simple phishing awareness to address deepfakes, AI-generated content, and sophisticated social engineering tactics.
Successful security operations in 2025 and beyond will depend on combining strong technical controls with practical, ongoing user training. Organisations need to recognise that security is a shared responsibility, requiring both robust systems and well-prepared employees.
For those that want to read the full report, you can explore the Microsoft Digital Defence Report here.
