Skip to main content
Microsoft Security

Discover the latest cybersecurity insights and analysis from the Microsoft Digital Defense Report on-demand webinar

 Protect yourself against identity-based cyber attacks

Identity is the new battleground

There’s a dangerous mismatch between most organizations’ security protocols and the threats they face. While attackers do try to force their way into networks, their preferred tactic is simpler: guessing weak login passwords. Basic measures like multifactor authentication are effective against 98 percent of attacks, but only 20 percent of organizations fully employ them (Microsoft Digital Defense Report, 2021).

In issue 1, you’ll learn about current security trends and recommendations from Microsoft researchers and experts, including:

  • Who’s relying on password and identity-based attacks.
  • What to do to counteract attacks, including endpoint, email, and identity strategies.
  • When to prioritize different security measures.
  • Where ransomware strains enter and proliferate within networks, and how to stop them.
  • Why identity protection remains the greatest cause for concern—but is also the greatest opportunity to improve your security.

Threat briefing

Nation-state actors redouble efforts to simply grab identity building blocks

Cyberattacks by nation-state actors are on the rise. Despite their vast resources, these adversaries often rely on simple tactics to steal easily guessed passwords. By so doing, they can gain fast and easy access to customer accounts. In the case of enterprise attacks, penetrating an organization’s network allows nation-state actors to gain a foothold they can use to move either vertically, across similar users and resources, or horizontally, gaining access to more valuable credentials and resources.

Spear-phishing, social engineering attacks, and large-scale password sprays are basic nation-state actor tactics used to steal or guess passwords. Microsoft gains insight into attackers’ tradecraft and successes by observing what tactics and techniques they invest in and find success with. If user credentials are poorly managed or left vulnerable without crucial safeguards like multi-factor authentication (MFA) and passwordless features, nation-states will keep using the same simple tactics.

The need to enforce MFA adoption or go passwordless cannot be overstated, because the simplicity and low cost of identity-focused attacks make them convenient and effective for actors. While MFA is not the only identity and access management tool organizations should use, it can provide a powerful deterrent to attacks.

Abusing credentials is a fixture of NOBELIUM, a nation-state adversary linked to Russia. However, other adversaries, such as Iran-linked DEV 0343 rely on password sprays too. Activity from DEV-0343 has been observed across defense companies producing military-grade radars, drone technology, satellite systems, and emergency response communication systems. Further activity has targeted regional ports of entry in the Persian Gulf, and several maritime and cargo transportation companies with a business focus in the Middle East.

Iran: Most targeted countries (July 2020-June 2021)
Chart showing Iran: Most targeted countries (July 2020-June 2021)
The most targeted countries by Iran between July 2020 and June 2021 were the United States (49%), Israel (24%), and the Saudi Arabia (15%).


Organization should:

Enable multi-factor authentication: By so doing, they mitigate the risk of passwords falling into the wrong hands. Even better, eliminate passwords altogether by using passwordless MFA.

Audit account privileges: Privileged-access accounts, if hijacked, become a powerful weapon attackers can use to gain greater access to networks and resources. Security teams should audit access privileges frequently, using the principle of least-privilege granted to enable employees to get jobs done.

Review, harden, and monitor all tenant administrator accounts: Security teams should thoroughly review all tenant administrator users or accounts tied to delegated administrative privileges to verify the authenticity of users and activities. They should then disable or remove any unused delegated administrative privileges.

Establish and enforce a security baseline to reduce risk: Nation-states play the long game and have the funding, will, and scale to develop new attack strategies and techniques. Every network-hardening initiative delayed due to bandwidth or bureaucracy works in their favor. Security teams should prioritize implementing zero-trust practices like MFA and passwordless upgrades. They can begin with privileged accounts to gain protection quickly, then expand in incremental and continuous phases.

Defending against attacks

Ransomware dominates mindshare, but only a few strains dominate

The dominant narrative seems to be that there are massive numbers of novel ransomware threats outstripping defenders’ capabilities. However, Microsoft analysis shows this is incorrect. There’s also a perception that certain ransomware groups are a single monolithic entity, which is also incorrect. What exists is a cyber-criminal economy where different players in commoditized attack chains make deliberate choices. They are driven by an economic model to maximize profit based on how they each exploit the information they have access to. The graphic below shows how different groups profit from various cyberattack strategies and information from data breaches.


Average prices of cybercrime services for sale
chart of Average prices of cybercrime services for sale
Average prices of cybercrime services for sale. Attackers for hire start at $250 USD per job. Ransomware kits are $66 USD or 30% of the profit. Compromised devices start at 13 cents per PC and 82 cents per mobile device. Spear phishing for hire ranges from $100 to $1,000 USD. Stolen username and password pairs begin at 97 cents per 1000 on average.

That said, no matter how much ransomware is out there, or what strains are involved, it really comes down to three entrance vectors: remote desktop protocol (RDP) brute force, vulnerable internet-facing systems, and phishing. All of these vectors can be mitigated with proper password protection, identity management, and software updates in addition to a comprehensive security and compliance toolset. A type of ransomware can only become prolific when it gains access to credentials and the ability to spread. From there, even if it is a known strain, it can do a lot of damage.

Path of threat actor behavior
Charting threat actors from initial access to lateral movement through the system
Path of threat actor behavior once system is breached from initial access point to credential theft and lateral movement through system. Tracks persistent path to capture accounts and acquire ransomware payload.


Security teams should:

Understand that ransomware thrives on default or compromised credentials: As a result, security teams should accelerate safeguards like implementing passwordless MFA on all user accounts and prioritizing executive, administrator and other privileged roles.

Identify how to spot telltale anomalies in time to act: Early logins, file movement, and other behaviors that introduce ransomware can seem nondescript. Nonetheless, teams need to monitor for anomalies and act on them swiftly.

Have a ransomware response plan and conduct recovery exercises: We live in the era of cloud sync-and-share, but data copies are different from entire IT systems and data bases. Teams should visualize and practice what full restorations look like.

Manage alerts and move fast on mitigation: While everyone fears ransomware attacks, security teams’ primary focus should be on strengthening weak security configurations that allow the attack to succeed. They should manage security configurations so alerts and detections are being responded to properly.

The cybersecurity bell curve: Basic security hygiene still protects against 98% attacks
Protection distribution curve for using antimalware for combating cyberattacks
Protect against 98% of attacks by utilizing antimalware, applying least privilege access, enabling multifactor authentication, keeping versions up to date, and protecting data. The remaining 2% of the bell curve includes outlier attacks.

Get additional guidance from Microsoft Principal Threat Intelligence Lead Christopher Glyer on how to secure identity.

Security snapshotInsights are gained and threats are blocked using over 24 trillion signals daily

Endpoint threats:

Microsoft Defender for Endpoint blocked more than 9.6 billion malware threats targeting enterprise and consumer customer devices, between January and December 2021.

E-mail threats:

Microsoft Defender for Office 365 blocked more than 35.7 billion phishing and other malicious e-mails targeting enterprise and consumer customers, between January and December 2021.

Identity threats:

Microsoft (Azure Active Directory) detected and blocked more than 25.6 billion attempts to hijack enterprise customer accounts by brute-forcing stolen passwords, between January and December 2021.

Methodology: For snapshot data Microsoft platforms including Defender and Azure Active Directory provided anonymized data on threat activity, such as brute force login attempts, phishing and other malicious e-mails targeting enterprises and consumers, and malware attacks between January and December 2021. Additional insights are from the 24 trillion daily security signals gained across Microsoft including the cloud, endpoints, and the intelligent edge. Strong authentication data combines MFA and passwordless protection.

Related articles

Cyber Signals Issue 2: Extortion Economics

Hear from frontline experts on the development of ransomware as a service. From programs and payloads to access brokers and affiliates, learn about the tools, tactics, and targets cybercriminals favor, and get guidance to help protect your organization.

Learn more

Defending Ukraine: Early Lessons from the Cyber War

The latest findings in our ongoing threat intelligence efforts in the war between Russia and Ukraine, and a series of conclusions from its first four months reinforces the need for ongoing and new investments in technology, data, and partnerships to support governments, companies, NGOs, and universities.

Learn more

Expert Profile: Christopher Glyer

As Principal Threat Intelligence Lead with a focus on ransomware at the Microsoft Threat Intelligence Center (MSTIC), Christopher Glyer is part of the team that investigates how the most advanced threat actors access and exploit systems.

Learn more