Microsoft has warned that cyber threats are becoming more sophisticated and frequent, driven by advances in artificial intelligence and increasingly organised criminal networks. The findings are detailed in the 2025 Microsoft Digital Defense Report (MDDR), which analyses trends shaping the cybersecurity landscape and outlines strategies for governments and organisations to strengthen their defences.
With billions of users and millions of organisations relying on its services, Microsoft processes more than 100 trillion security signals every day. Its network screens five billion emails daily to protect users from malware and phishing, while 4.5 million new malware files are blocked each day. The company employs more than 34,000 security engineers worldwide and collaborates with over 15,000 partners to respond to evolving threats.
The report notes that cyberattacks in 2025 have become faster and more targeted. Threat actors are exploiting known vulnerabilities, such as weaknesses in web assets and remote services, while also deploying new techniques including AI-powered phishing and multi-stage attack chains. The United States, United Kingdom, Israel, and Germany were among the most frequently targeted nations.
Cybercrime economy grows in scale and sophistication
The report highlights how the cybercrime economy has matured into a complex ecosystem, involving access brokers, ransomware operators, and data extortion groups. These networks often operate across borders, making them difficult to disrupt. Financial incentives continue to fuel this ecosystem, with some attackers earning significantly more from selling vulnerabilities to criminal groups than from legitimate bug bounty programmes.
Between October 2024 and October 2025, Lumma Stealer emerged as the most widespread information-stealing malware. Offered as a malware-as-a-service platform, Lumma Stealer harvested sensitive data from web browsers and applications, including cryptocurrency wallets. This data was sold to access brokers on dark web forums and Telegram channels, enabling ransomware operators and other attackers to compromise networks.
In mid-2025, Microsoft’s Digital Crimes Unit, in collaboration with the US Department of Justice, Europol, and Japan’s Cybercrime Control Center, disrupted Lumma Stealer’s operations. Authorities seized or blocked more than 2,300 malicious domains, cutting off the malware’s infrastructure and preventing infected devices from being controlled by criminals.
The report also reveals that 97% of identity-based attacks were password spray attempts, underscoring how weak or reused passwords remain a major vulnerability. Microsoft urges policymakers to establish harmonised cross-border legal frameworks to speed up investigations and dismantle cybercrime networks more effectively.
AI becomes both a weapon and a defence tool
Artificial intelligence is playing a dual role in cybersecurity, acting as both a powerful tool for defenders and a significant advantage for attackers. AI can analyse vast volumes of threat data to detect early warning signs and identify security gaps. It can also automate responses, such as suspending compromised accounts or resetting passwords within seconds.
However, attackers are also exploiting AI systems. Poorly secured AI workloads have been compromised through prompt-based attacks and supply chain exploits. Deepfake videos and synthetic voice cloning are being used in fraud schemes against multinational companies and government agencies, costing organisations millions. AI agents could eventually enable attackers to automate the entire attack lifecycle, from reconnaissance and vulnerability scanning to exploitation.
In one example, Microsoft uncovered a global operation known as Storm-2139 in July 2024, which used stolen API keys to bypass AI safety controls and generate abusive AI-generated images. Microsoft’s Digital Crimes Unit traced the operation using open-source intelligence and content provenance tools before referring the case to authorities.
The report calls on governments to invest in research and development focused on applying AI to cybersecurity technologies, helping defenders stay ahead of emerging threats.
Nation-state attacks evolve with AI and influence operations
Nation-state threat actors have continued to evolve their tactics in 2025, adopting AI to scale their intelligence-gathering and influence operations. These actors focus on shaping public narratives, spreading synthetic media, and overwhelming detection systems. Their targets include IT companies, research institutions, government agencies, think tanks, and non-governmental organisations.
The report highlights that certain countries face disproportionately high levels of nation-state activity. It also warns about covert operations such as North Korea’s deployment of thousands of remote IT workers at unsuspecting companies, aimed at generating revenue and stealing sensitive intellectual property. Microsoft is tracking these activities and advising organisations on how to detect and address them.
Microsoft urges governments to establish clear “red lines” for nation-state cyber activity and to impose a range of consequences, from diplomatic sanctions and economic measures to targeted declassification and public exposure.
The MDDR 2025 concludes with recommendations for strengthening global cyber resilience, including investing in people as well as technology, transitioning to quantum-safe systems, understanding the risks and benefits of AI, and fostering collaboration across sectors. As the threat landscape becomes more complex, Microsoft stresses that proactive, coordinated action is essential to safeguarding the digital ecosystem.
