Microsoft’s Digital Defense Report 2025 landed at the end of last year, and honestly, if you haven’t read it yet, you should. Not because it’s particularly uplifting reading, but because it shows exactly where we are: threats are accelerating faster than most organizations can keep up with, and the gap between knowing what to do and actually doing it keeps widening.
The report processes over 100 trillion security signals daily. That scale alone tells you something. But what really matters are the patterns emerging from all that data. Let me break down what matters for those of us making decisions at the board and leadership level.
The money trail tells the real story
Here’s the number that should wake everyone up: over 52% of cyberattacks with known motives are driven by extortion or ransomware, while attacks focused solely on espionage make up just 4%.
This isn’t about nation-states stealing secrets anymore. It’s about criminals making money. And they’re damn good at it.
In 80% of the cyber incidents investigated last year, attackers sought to steal data, driven more by financial gain than intelligence gathering. Think about that for a second. Four out of five incidents are about stealing your data to make money off it. Not to spy on you. To monetize you.
The uncomfortable truth is that cybercrime has become industrialized. Advances in automation and readily available off-the-shelf tools have enabled cybercriminals, even those with limited technical expertise, to expand their operations significantly. You don’t need to be a technical genius anymore to launch attacks. You just need money to buy the tools and the willingness to use them.
They’re not breaking in, they’re logging in
Want to know the most frustrating statistic in the entire report? More than 97% of identity attacks are password attacks, and identity-based attacks surged by 32% in the first half of 2025 alone.
We’re not talking about sophisticated zero-day exploits or advanced persistent threats here. We’re talking about attackers using stolen or guessed passwords to walk right through the front door.
Infostealers can secretly gather credentials and information about online accounts, like browser session tokens, at scale. Cybercriminals can then buy this stolen information on cybercrime forums, making it easy for anyone to access accounts.
The solution? It’s embarrassingly simple. Phishing-resistant multifactor authentication can stop over 99% of these attacks even if the attacker has the correct username and password combination.
Yet here we are in 2025, still having conversations about whether to enforce MFA everywhere. Still making exceptions for certain users or systems because it’s “inconvenient.” If this isn’t fixed in your organization yet, it needs to be your top priority. Not next quarter. Now.
Who’s getting hit and why it matters
The report shows clear patterns in who gets targeted and why. Hospitals and local governments are targets because they store sensitive data or have tight cybersecurity budgets with limited incident response capabilities, often resulting in outdated software.
This isn’t theoretical. In the past year, cyberattacks on these sectors had real-world consequences, including delayed emergency medical care, disrupted emergency services, canceled school classes, and halted transportation systems.
Ransomware actors know exactly what they’re doing. They target organizations that have no choice but to respond quickly. A hospital with encrypted systems can’t wait days to resolve the issue. People could die. That’s leverage, and criminals exploit it ruthlessly.
Even if you’re not in a critical sector, pay attention to this. The tactics work, so they spread. What works against hospitals today will be used against other industries tomorrow.
Nation-states are evolving too
While criminals are the bigger threat by volume, nation-state actors haven’t gone anywhere. They’ve just gotten more creative.
China is continuing its broad push across industries to conduct espionage and steal sensitive data, increasingly attacking non-governmental organizations to expand their insights and using covert networks and vulnerable internet-facing devices to gain entry.
Iran is going after a wider range of targets than ever before, from the Middle East to North America, as part of broadening espionage operations. Recently, three Iranian state-affiliated actors attacked shipping and logistics firms in Europe and the Persian Gulf.
Russia, while still focused on the war in Ukraine, has expanded its targets. Outside of Ukraine, the top ten countries most affected by Russian cyber activity all belong to NATO, a 25% increase compared to last year.
And then there’s North Korea with perhaps the strangest twist. Thousands of state-affiliated North Korean remote IT workers have applied for jobs with companies around the world, sending their salaries back to the government as remittances. When discovered, some of these workers have turned to extortion.
Yes, you read that right. North Korea is placing remote workers in companies globally, and when they’re caught, they extort their former employers. It’s creative, I’ll give them that.
AI is changing the game for everyone
Over the past year, both attackers and defenders harnessed the power of generative AI. Threat actors are using AI to boost their attacks by automating phishing, scaling social engineering, creating synthetic media, finding vulnerabilities faster, and creating malware that can adapt itself.
This is the part that keeps security professionals up at night. AI doesn’t just make attacks more efficient. It makes them scalable in ways that weren’t possible before. A phishing campaign that would have taken days to craft can now be generated in minutes. Social engineering that required research and preparation can be automated.
But here’s the thing: defenders get access to the same tools. Microsoft uses AI to spot threats, close detection gaps, catch phishing attempts, and protect vulnerable users. The question isn’t whether to use AI. It’s whether you’re using it as effectively as the people attacking you.
What this means for boards and leadership
Let me be direct about something: organizational leaders must treat cybersecurity as a core strategic priority, not just an IT issue, and build resilience into their technology and operations from the ground up.
This isn’t new advice, but the urgency has changed. The threats are moving faster, the tools available to attackers are more sophisticated, and the financial incentives have never been higher.
The report offers clear recommendations that boards should be tracking. Build in resilience by assuming that breaches are inevitable and embedding resilience into infrastructure. Track metrics like multifactor authentication coverage, patch latency, and incident response time.
Invest in people, not just tools. Continuously upskill your workforce and embed security in performance reviews. Culture and readiness, not just technology, are critical to an organization’s defenses and its resilience.
Notice what’s missing from these recommendations? There’s nothing about buying the latest security product or implementing the most advanced technology. It’s about fundamentals, processes, and people, backed by effective use of technology.
The uncomfortable reality
Here’s what keeps me up: most organizations I talk to know what they should be doing. They’ve read the reports. They understand the threats. But implementation lags behind awareness by months or years.
MFA rollouts get delayed. Vulnerability management processes don’t get the resources they need. Security training happens once a year instead of being embedded into daily work. Legacy systems that should have been replaced years ago keep running because replacing them is hard.
The gap isn’t knowledge. It’s execution.
And while we’re debating budgets and timelines, attackers are already inside networks, credentials are being sold on dark web forums, and ransomware groups are identifying their next targets.
Where do we go from here?
The Microsoft Digital Defense Report 2025 makes one thing abundantly clear: security can’t be a side project anymore. It can’t be something we get to after we handle the “real” business priorities. It is a real business priority.
The threats are here. They’re sophisticated, well-funded, and motivated. They’re using the same AI tools we are, sometimes more effectively. They’re targeting everyone, not just the big obvious targets.
But we’re not helpless. The fundamentals still work. MFA stops the vast majority of attacks. Regular patching closes known vulnerabilities. Good processes catch what technology misses. Training helps people recognize threats.
The question isn’t what to do. We know what to do. The question is whether we’re actually going to do it, or whether we’re going to keep treating security as something we’ll get to next quarter.
Because I promise you, the attackers aren’t waiting for next quarter.
You can read the full Microsoft Digital Defense Report 2025 at: https://www.microsoft.com/en-us/corporate-responsibility/cybersecurity/microsoft-digital-defense-report-2025/
