Refining Your Cybersecurity Strategy Based on Data

• By Paul Schnackenburg
• 12/03/2025

Learning about cybersecurity risks and mitigations is an endless rabbit hole. Along the way, many companies publish reports, filled with statistics and findings, guiding you towards a particular view of the preferred solution, often the ones the company happens to be selling.

But the lack of reliable ground truth for cybersecurity risks is a challenge for anyone attempting to figure out where to put their limited budget (or in my case, attempt to convince my clients to shell out for various services). And often, vendors do have large, useful datasets, but the data needs to be understood in context. If you're an email security vendor, your logs will be skewed towards email attacks, and thus your "view of the world" will be biased. Another example is "the average cost of a data breach" being reported by IBM as $4.4 million USD for 2025, $4.88 million USD for 2024 and so forth. Really? Maybe for the 1-2% of businesses classified as enterprises, but for every one of my clients, and 98% of businesses worldwide with less than 1,000 staff, that kind of cost would be completely business ending, and it's mostly not, so I suspect the average for SMBs is a lot less.

In this article I'll look at Microsoft's recently released annual Digital Defense Report (DDR) 2025, their quarterly Secure Future Initiative (SFI) progress report from November, Thinkst's ThinkstScapes for Q3 and weave in a few other data points along the way. I'll also extract the salient points that you can apply to your own organization's cybersecurity approach. Microsoft's report is unique in that they cover every area in their services and security products and ingest data from both the commercial world (Azure, Microsoft 365, Dynamics 365 etc.) and the consumer risk landscape (Xbox, Bing etc.).

100 Trillion Signals a Day
The DDR is the evolution of the older annual Security Intelligence Report (SIR) so Microsoft has been at this for quite a few years. With contributions from 23 teams and 200 people over the last 12 months, the DDR is nevertheless quite easy to digest at 78 pages (plus a very handy glossary at the end). It's divided into two main sections, the first outlining the threat landscape, and the second the defense landscape.

And yes, Microsoft is claiming 100 trillion security signals processed daily, 4.5 million net new malware files blocked every day, and 5 billion emails screened daily. These are just nebulous numbers that are impossible for me to wrap my head around, but very few other organizations have such a comprehensive view of the cyber risk landscape on the internet (maybe AWS, Google and Cloudflare come to mind, but they don't offer services across every area).

The U.S. is the "leader" for Microsoft's customers being targeted at 24.8%, with the U.K. in second place at 5.6%, and Australia sharing 10th place with Taiwan at 1.8%. As for the industry vertical most in the crosshairs, that's Government agencies & services (17%), IT (also 17%) and Research and academia (11%).

The motivation of the attackers, based on reporting from Microsoft's Incident Response team, is interesting:

Note that ransomware is only 1/5th, with data theft and extortion much more likely. Again, read these statistics based on the source, in this case Microsoft's Incident Response team, which only large organizations will be able to afford when they have a breach. Espionage at only 4% makes sense, again you need to adapt this kind of figure against your organization's vertical. If you're a defense contractor that figure will be much higher, if you're in retail, it's close to 0%. I found infrastructure building intriguing, it's where the attackers take advantage of unmanaged assets to stage attacks against other third-party targets. This saves attackers on the cloud bill for running the attack in the first place and also muddles attribution attempts (and is also why the idea of "hacking back" can be so dangerous -- making sure you're actually attacking the bad guy, and not another victim's infrastructure, isn't straightforward).

The initial access vector can be exploiting a public-facing application (11%), valid accounts (11%) or social engineering (10%, up from 8% in 2024). Where AI-automated phishing emails are used they're achieving a 54% click-through rate (compared to 12% for standard) attempts, but they're equally likely to get blocked by the email hygiene solution.

Another observation that Microsoft isn't alone in making is the rapid weaponization of exploits, where the time window between vulnerability disclosure, patch availability and patch deployment used to be measured in weeks and can now be days or even hours. Having the processes in place to triage high impact vulnerabilities, identify affected systems and rapidly roll out patches is challenging, but necessary.

One type of initial access that's risen in popularity over the last year is ClickFix where an attacker plants a "fake captcha" and lures victims to the page (often with SEO poisoning -- buying ad space for related search terms, in essence relying on Google search being the vector to distribute the attack), where they're asked to click Win + R to open the Run dialog box and hit enter on Windows to prove they're human, which runs the attacker's code. You should definitely include awareness of this attack type in your regular user training.

Overall, the saying that "attackers don't break in, they log in" is true, but they still break in as well, so you've got to protect against both. The rise of infostealers is also called out, which is malware that runs on a user's (personal?) devices and scrapes usernames and passwords, along with cryptocurrency secrets. The most popular infostealer was Lumma Stealer (51%), which was taken down by Microsoft and others in May 2025.

As for emerging threats it's no surprise that attackers will use AI-enhanced social engineering and attacks but the biggest takeaway for me is the expansion of supply chain compromises. Getting access to dozens of clients by compromising a single Managed Service Provider, or thousands of endpoints by subverting a single application package is a fruitful path for attackers to take. If one of your suppliers were compromised -- could you detect the subsequent infiltration into your systems? What's your business risk management plan for it?

Cloud identities are targeted, including through malicious OAuth apps, highlighting the need for app governance. Putting the spotlight on identity attacks (and where you should focus your limited budget) is the fact that more than 97% of them are password spray or brute force attacks. That small leftover slice of 3% is made up of:

In other words, attackers are bypassing MFA 10 times as frequently by stealing the token from users via malware on their devices (personal BYOD devices if you allow them) than they are through setting up fake login pages and tricking users into handing over their credentials. You should still move to phishing-resistant authentication (as that journey will take years), particularly now that Entra ID supports synced passkeys through any password manager, not just Microsoft Authenticator.

In the first half of 2025, identity-based attacks rose by 32% which is a sobering statistic, reinforcing the need to build your cybersecurity strategy on strong identity authentication. This is particularly true if you're in research and academia which are overrepresented in the data: