2023 Microsoft Digital Defense Report (MDDR)

How we’re building and improving Cyber Resilience

Welcome to the Microsoft Digital Defense Report. As the digital domain continues to evolve, defenders around the world are innovating and collaborating more closely than ever. In this fourth annual edition of the report we share actionable steps and valuable insights from what we’re seeing for the reporting period from July 2022 through June 2023.

“Artificial Intelligence will be a critical component of successful defense. In the coming years, innovation in AI-powered cyber defense will help reverse the current rising tide of cyberattacks.”

Tom Burt, Corporate Vice President, Customer Security and Trust, Microsoft

As a company committed to making the world a safer place, Microsoft has invested heavily in security research, innovation, and the global security community. While AI is transforming cybersecurity, using it to stay ahead of threats requires massive amounts of data. We have access to a diverse range of security data which puts us in a unique position to understand the state of cybersecurity and to identify indicators that can help predict the next moves of attackers.

This year's report draws on insights from these and other sources across Microsoft and the ecosystem:

Infographic image highlighting the key report insights

Telemetry sources: Microsoft Defender for Endpoint, Microsoft Defender for Cloud Apps, Microsoft Defender for Identity, Microsoft Defender for Office 365, Microsoft Entra ID (formerly Azure AD), Microsoft Defender Threat Intelligence

65 trillion signals synthesized per day. That is over 750 billion signals per second, synthesized using sophisticated data analytics and AI algorithms to understand and protect against digital threats and criminal cyberactivity.
More than 10,000 Microsoft security and threat intelligence experts, including engineers, researchers, data scientists, cybersecurity experts, threat hunters, geopolitical analysts, investigators, and frontline responders across the globe.
4,000 identity authentication threats blocked per second on average over the past year.
More than 300 unique threat actors tracked by Microsoft Threat Intelligence, including 160 nation-state actors, 50 ransomware groups, and hundreds of others.
More than 100,000 domains have been removed that were utilized by cybercriminals, including over 600 employed by nation-state threat actors.
More than 15,000 partners with specialized solutions in our security ecosystem, who increase cyber resilience for our customers.
135 million managed devices providing security and threat landscape insights.

Strengthening our defenses together

Strength in numbers. Stronger together. Together we stand. We think every individual and company should exist above the cyber poverty line. While organizations are focused on safeguarding their own systems, customers, and communities, partnership acts as a crucial force multiplier for collective resilience. Together, we can ensure that every individual and company exists above the cyber poverty line.

The opportunities for partnership across the public and private sectors, policy organizations, and standards bodies are multi-dimensional. From ensuring the technology community is building safer, more secure technology and collaborating on threat intelligence and trends to developing common standards to take down and block the tools cybercriminals use, strong and bi-directional partnerships between organizations are crucial.

Partnerships across the technology community are an absolute necessity to ensure organizations of all types and sizes, in every industry and region, can protect themselves. This means working together to push the boundaries of innovation, ensuring technical integration of products in the security space and addressing the end-to-end security needs of customers.

Defenders all over the world are responding to the call to improve security with the public and private sectors investing and collaborating to confront the challenges and build long-term resilience.

Read full report

One crucial point stands out: the vast majority of successful cyberattacks could be thwarted by implementing a few fundamental security hygiene practices.

How can we protect against 99% of attacks? Basic security hygiene still protects against 99% of attacks. Enable multifactor authentication (MFA), apply Zero Trust principles, Use extended detection and response and antimalware, keep up to date, and protect data. Outlier attacks make up just 1%. How effective is MFA at deterring cyberattacks? A recent study based on real-world attack data from Microsoft Entra found that MFA reduces the risk of compromise by 99.2 percent

Basic security hygiene still protects against 99% of attacks. Enable multifactor authentication (MFA), apply Zero Trust principles, Use extended detection and response and antimalware, keep up to date, and protect data. Outlier attacks make up just 1%. How effective is MFA at deterring cyberattacks? A recent study based on real-world attack data from Microsoft Entra found that MFA reduces the risk of compromise by 99.2 percent.

This protects against compromised user passwords and helps to provide extra resilience for identities.
The cornerstone of any resilience plan is to limit the impact of an attack on an organization: explicitly verify, use least privilege access, and always assume breach.
Implement software to detect and automatically block attacks and provide insights to the security operations software. Monitoring insights from threat detection systems is essential to being able to respond to threats in a timely fashion.
Unpatched and out-of-date systems are a key reason many organizations fall victim to an attack. Ensure all systems are kept up to date including firmware, the operating system, and applications.
Knowing your important data, where it is located, and whether the right defenses are implemented is crucial to implementing the appropriate protection.

Threat actors represented in the 2023 Microsoft Digital Defense Report

Tracked activity including nation-state, ransomware, and cyber mercenaries by designated storms

Threat actors and types discussed in the report include tracked activity from nation-state actors, ransomware groups, cyber mercenaries or private sector offensive actors, and “Storm” designations followed by a four-digit number refer to emerging or developing clusters of threat activity. Threat actor group naming: Russian groups end in “Blizzard”; Chinese groups end in “Typhoon”; Iranian groups end in “Sandstorm”; North Korean groups end in “Sleet”

Introduction

The power of partnerships is key to overcoming adversity by strengthening defenses and holding cybercriminals accountable.

Learn more

Aerial view of a city with many buildings

The State of Cybercrime

While cybercriminals remain hard at work, the public and private sectors are coming together to disrupt their technologies and support the victims of cybercrime.

Learn more