Skip to main content
Microsoft Security
Back to Security Now
Feature article

How cyberattacks are changing according to the new Microsoft Digital Defense Report

By Amy Hogan-Burney, General Manager of Microsoft Digital Crimes Unit/Associate General Counsel  

Recent trends point to a clear message: cybercrime is becoming more sophisticated, widespread and relentless. Let’s get a deeper look into human-operated ransomware, phishing attacks, malware, and more—and learn how to get ahead of these threats before they begin. 

In 2021, cybercrime has become even more sophisticated, widespread, and relentless. Criminals have targeted critical infrastructure—healthcareinformation technologyfinancial servicesenergy sectors—with headline-grabbing attacks crippling businesses and harming consumers. But there are positive trends—victims are coming forward, humanizing the toll of cyberattacks, and prompting increased engagement from law enforcement. Governments are also passing new laws and allocating more resources as they recognize cybercrime as a threat to national security.  

Earlier this month, Microsoft published the 2021 Microsoft Digital Defense Report (MDDR). Drawing upon over 24 trillion daily security signals across the Microsoft cloud, endpoints, and the intelligent edge, the 2021 MDDR expands upon last year’s inaugural report and contains input from over 8,500 security experts spanning 77 countries—including insights on the developing state of ransomware, malicious email, malware, and more.  

Ransomware goes retail 

Ransomware offers a low-investment, high-profit business model that’s irresistible to criminals. What began with single-PC attacks now includes crippling network-wide attacks using multiple extortion methods to target both your data and reputation, all enabled by human intelligence. Through this combination of real-time intelligence and broader criminal tactics, ransomware operators have built their profits to unprecedented levels.  
This human-operated ransomware, aka “big game ransomware,” involves criminals hunting for large targets that will provide a substantial payday. Ransomware is becoming a modular system like any other big business, including ransomware as a service (RaaS). With RaaS, there isn’t a single individual behind a ransomware attack; rather, there are multiple groups. For example, one threat actor may develop and deploy malware that gives one attacker access to a certain category of victims, whereas a different actor may merely deploy malware. It’s effectively a crime syndicate where each member is paid for a particular expertise.  

Once a criminal actor compromises a network, they may steal confidential information, financial documents, and insurance policies. After analyzing this intelligence, they will demand an “appropriate” ransom to not only unlock their victim’s systems, but also to prevent public disclosure of exfiltrated data. This is known as the double extortion model: a victim is extorted for ransom on stolen data and intellectual property (IP); then again to prevent the attacker from publishing it. 

Typically, threat actors will demand payment through crypto wallets. The underlying blockchain technology enables the owners of crypto wallets to remain pseudonymous. But the criminal actor needs to cash out, which is where middlemen in the crypto currency ecosystem step in to facilitate ransom-related transactions and payments. Both the private sector and government agencies—through civil litigation, prosecution, regulatory enforcement, and international collaboration—can take coordinated action against ransomware intermediaries to disrupt the payment process. Data from Microsoft’s Detection and Response Team (DART) shows that the three sectors most targeted by ransomware were consumer, financial, and manufacturing

Figure 1: DART ransomware engagements by industry (July 2020–June 2021) 

The best way to be prepared against ransomware is to make it harder for attackers to access systems while making it easier for victims to recover—without paying a ransom. Encouraging organizations to prepare for the worst is a proactive strategy, one that minimizes monetary incentives for attackers. To learn more about defending against ransomware, read the 2021 MDDR. Microsoft also supports the guidance presented in the Ransomware Playbook by the Cyber Readiness Institute.

Figure 2: Three steps for limiting damage from ransomware 

Malicious email: bait and switch 

Reports of  phishing attacks doubled in 2020, with credential phishing used in many of the most damaging attacks. The Microsoft Digital Crimes Unit (DCU) has investigated online organized crime networks involved in business email compromise (BEC), finding a broad diversification of how stolen credentials are obtained, verified, and used. Threat actors are increasing their investment in automation and purchasing tools; so they can increase the value of their criminal activities. 

Overall, phishing is the most common type of malicious email observed in our threat signals. All industries receive phishing emails, with some verticals more heavily targeted depending on attacker objectives, availability of leaked email addresses, or current events regarding specific sectors and industries. The number of phishing emails we observed In Microsoft Exchange global email flow increased from June 2020 – June 2021, with a pronounced surge in November potentially taking advantage of holiday-themed traffic. 

“In 2020, the industry saw a surge of phishing campaigns that has remained steady throughout 2021. Internally at Microsoft, we saw an increase in overall number of phishing emails, a downward trend in emails containing malware, and a rise in voice phishing (or vishing).”

2021 Microsoft Digital Defense Report
Figure 3: Malicious email techniques 

Phishing sites frequently copy well-known, legitimate login pages, such as Microsoft Office 365, to trick users into inputting their credentials. In one recent example, attackers combined open redirector links with bait that impersonates well-known productivity tools and services. Users clicking the link were lead to a series of redirections—including a CAPTCHA verification page that adds a sense of legitimacy—before landing on a fake sign-in page and finally, credential compromise. Those stolen identities can then be weaponized in BEC attacks or via phishing web sites. Even after a successful attack, threat actors may re-sell accounts if the credentials remain compromised. 

Microsoft Defender SmartScreen detected more than a million unique domains used in web-based phishing attacks in the last year, of which compromised domains represented just over five percent. Those domains typically host phishing attacks on legitimate websites without disrupting any legitimate traffic; so their attack remains hidden as long as possible. 

Domains created specifically for attacks tend to be active for shorter periods. Over the last year, Microsoft has seen attacks come in short bursts that begin and end within as little as one to two hours.  

Because those minutes matter, Microsoft is again co-sponsoring the annual Terranova Gone Phishing Tournament™ as part of Cybersecurity Awareness Month, which uses real-world simulations to establish accurate clickthrough statistics. By using a real phishing email template included in Microsoft Defender for Office 365Attack Simulator provides context-aware simulations and hyper-targeted training to educate employees and measures behavior changes. 

Malware: opportunity knocks 

Just as phishing has grown in scale and complexity over the last year, malware too, has continued to evolve. Microsoft 365 Defender Threat Intelligence has observed recent innovation that can lead to greater success among attackers. Even with a range of attack goals—ransom, data exfiltration, credential theft, espionage—many malware types rely on time-tested strategies for establishing themselves in a network.

In every month from August 2020 to January 2021, we registered an average of 140,000 web shell threats on servers, which was almost double the 77,000 monthly average. Throughout 2021 we saw an even bigger increase, with an average of 180,000 encounters per month.”

2021 Microsoft Digital Defense Report

Simple and effective, web shell usage continues to climb among both nation state groups and criminal organizations, allowing attackers to execute commands and steal data from a web server, or use the server as a launch pad for further attacks. PowerShell using suspicious flags or encoded values was the most common behavior Microsoft observed from malware this year.  

Also popular is malware that attempts to rename or inject payloads to mimic system processes and collect data from browser caches. Other forms of malware in play were: use of specific reconnaissance strings; processes added to startup folders; AMSI and registry alterations; and executables dropped from Microsoft Office 365 files, accompanied by other alerts. We also observed malware tactics that are more difficult to mitigate, such as: 

  • Fileless malware and evasive behavior—these include numerous fileless malware techniques employed by botnets, commodity downloaders, and advanced malware campaigns; all designed to make removal and detection more difficult. 
  • Legitimate service abuse in network communications—Google Drive, Microsoft OneDrive, Adobe Spark, Dropbox, and other sites are still popular for malware delivery, while “content dump” sites such as,, and are increasingly popular for component download in multi-part and fileless malware. 

A common attack vector we’re seeing—threat actors use a “compromise first, monetize later” approach that takes advantage of customer patching delays. Meaning, cybercriminals will attack any gap in cyber defenses betting that an opportunity for profit will eventually present itself. This makes it even more imperative that organizations deploy security updates and patches for all internet-facing systems.  

Learn more  

Every person and organization has the right to expect the technology they use is secure and delivered by a company they can trust. As part of Microsoft’s differentiated approach to cybersecurity, the DCU represents an international team of technical, legal, and business experts that’s been fighting cybercrime to protect victims since 2008. We use our expertise and unique view into online criminal networks to take action. We share insights internally that translate to security product features, we uncover evidence for criminal referrals to law enforcement throughout the world, and we take legal action to disrupt malicious activity. 

For a comprehensive look at the state of cybercrime today, including the rise of malicious domains and adversarial machine learning, download the 2021 Microsoft Digital Defense Report. Look for upcoming articles providing in-depth information for each themed week of Cybersecurity Awareness Month 2021. Visit our Cybersecurity Awareness Month page for more resources and information on protecting your organization year-round. Do your part. #BeCyberSmart 

To learn more about Microsoft Security solutions visit our website.  Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Back to Security Now
Feature article

Strengthening supply chain and IoT/OT security