Skip to main content
Skip to main content
Microsoft Security

Protecting Identities in the Cloud: Mitigating Password Attacks

  • Tim Rains

We just released a new volume of the Microsoft Security Intelligence Report. Included in the report, for the first time, is security data from the Microsoft cloud that reveals how we are leveraging an intelligent security graph to inform how we protect endpoints, better detect attacks and accelerate our response, to help protect our customers.

In November we outlined Microsoft’s new approach to how we Protect, Detect and Respond to security threats. We have been evolving our ability to get real-time insights and predictive intelligence across our network so we can stay a step ahead of the threats and protect customers.

The challenge is to correlate our security data with our threat intelligence data. To do this, we collect trillions of signals from billions of sources to build an intelligent security graph that can learn from one area and apply across the Microsoft platform. The intelligent security graph is powered by inputs we receive across our endpoints, consumer services, commercial services and on-premises technologies.

The new Security Intelligence Report contains many insights from this data and analysis. Here are some examples:

  • From a sensor network made up of hundreds of millions of systems running Microsoft anti-malware software, the data shows us that:
    • The number of systems that encountered malware in 2015 increased in the second half of the year. The worldwide encounter rate increased to 20.5% by the end of 2015, an increase of 5.5% from six months earlier.
    • The locations with the highest encounter rates were Pakistan, Indonesia, the Palestinian territories, Bangladesh, and Nepal which all had encounter rates above 50%.
    • Exploit kits accounted for four of the 10 most commonly encountered exploits during the second half of 2015. The Angler exploit kit was the most commonly encountered exploit kit family.
    • Although ransomware had relatively low encounter rates (worldwide ER for ransomware in the first quarter of 2015 was 0.35 percent and 0.16 percent in the second quarter), its use in ransomware-as-a-service kits and targeted attacks is increasing.
  • SmartScreen Filter is a feature in Internet Explorer and Microsoft Edge that offers users protection against phishing sites and sites that host malware. Based on phishing data from the SmartScreen:
    • Phishing sites that targeted online services received the largest share of impressions during the period, and accounted for the largest number of active phishing URLs
    • Sites that targeted financial institutions accounted for the largest number of active phishing attacks during the period

As I mentioned we’ve published cloud service security data in this Security Intelligence Report, for the first time. Let me share some of that data with you and why we are excited about how the cloud is improving the insights from our intelligent security graph.

Mitigating Password Attacks

The massive scale of Microsoft’s cloud enables us to gather an enormous amount of intelligence on malicious behavior, which in turn allows us to prevent the compromise of Microsoft Accounts and Azure Active Directory accounts, and block the use of leaked or stolen credentials.

Azure Active Directory provides single sign-on to thousands of cloud (SaaS) apps such as Office 365, Workday, Box, Google Apps and more, and access to web apps organizations run on-premises, and Microsoft Accounts are used by consumers to sign into services like Bing,, OneDrive, Skype, and Xbox LIVE.
The scale of these services provides tremendous insight into attackers’ efforts to compromise the user accounts of consumers and enterprises.
  1. At the end of 2015, Azure Active Directory was being used by 8.24 million tenants with over 550 million users.
  2. Azure Active Directory averaged over 1.3 billion requests per day.
  3. Every day, Microsoft processed over 13 billion logins from hundreds of millions of Microsoft Account users.

To prevent and mitigate attacks on the consumers and organizations using these services, we use a multi-layered system of protection mechanisms. The keystone of these protection systems is machine learning. Every day, our machine learning systems process more than 10 terabytes of data, including information on over 13 billion logins from hundreds of millions of Microsoft Account users.

We combine this with other protection algorithms and data feeds from:

  • The Microsoft Digital Crimes Unit
  • The Microsoft Security Response Center
  • Phishing attack data from and Exchange Online
  • Information acquired by partnering with academia, law enforcement, security researchers, and industry partners around the world

All this data helps us create a comprehensive protection system that helps keep our customers’ accounts safe. The system deflects tens of thousands of location-based attacks per day, and automatically blocks tens of thousands of requests each day that use credentials that have likely been stolen or leaked. Microsoft Accounts that are determined to be compromised are automatically entered into an account recovery process that allows only the rightful owner to regain sole access to the account.

Multiple algorithms look at a wide range of data produced by our systems working in real-time to stop attacks before they are successful, and, retroactively, to swiftly remediate accounts for whom an attack worked and remove access from a bad actor. For example, we also use tools such as incorrect password lockout and location-based blocking.

The Advantages of Machine Learning

Microsoft’s machine learning systems use various data points to determine when an account login attempt, even with a valid password, is likely fraudulent.

For Microsoft Accounts, these login attempts are blocked until a second factor of authentication is provided. For Azure Active Directory, Identity Protection allows administrators to create policies that do the same, requesting MFA or outright blocking the attempt based on the risk score of the login.

One of the factors the machine learning system uses to block login attempts is whether the location of the login attempt is a familiar location to the legitimate user.

New Threat Intelligence Provides Details on Attacks
Here is some the new data published we in this Security Intelligence Report:

  1. Compromised login attempts were blocked from unfamiliar locations nearly three quarters of the time.
  2. Attackers were located in different parts of the world:
    • 49% in Asia
    • 20% in South America
    • 14% in Europe
    • 13% in North America
    • 4% in Africa

Understanding where attacks are originating from, allows us to recognize attack patterns which we can then use to protect other systems and customers.

From all this data gathering and analysis, each day Microsoft’s account protection systems automatically detect and prevent more than 10 million attacks, from tens of thousands of locations, including millions of attacks where the attacker has valid credentials. That’s over 4 billion attacks prevented last year alone.

Very few organizations can access this much high quality data, aggregate it, and analyze it, every day, on-premises, and use it to make timely security decisions. Through our machine learning capabilities, the Microsoft cloud protects customers in a highly sophisticated way, faster than most organizations could do on-premises.


In every Security Intelligence Report, we provide some guidance that helps protect people and organizations. There are a few things people can do to protect their accounts and devices from password based attacks:

  • The security of your account is particularly important if your username is an email address, because other services may rely on your email address to verify your identity. If an attacker takes over your account, they may be able to take over your other accounts too (like banking and online shopping) by resetting your passwords by email.
  • Tips for creating a strong and unique password:
    • Don’t use a password that is the same or similar to one you use on any other website. A cybercriminal who can break into that website can steal your password from it and use it to steal your account.
    • Don’t use a single word (e.g. “princess”) or a commonly-used phrase (e.g. “Iloveyou”).
    • Do make your password hard to guess even by those who know a lot about you (such as the names and birthdays of your friends and family, your favorite bands, and phrases you like to use).
  • Two-step verification boosts account security by making it more difficult for hackers to sign in—even if they know or guess your password.
  • If you turn on two-step verification and then try to sign in on a device we don’t recognize, we’ll ask you for two things:
    • Your password.
    • An extra security code.
    • We can send a new security code to your phone or your alternate email address, or you can get one through an authenticator app on your smartphone.
  • If your organization hasn’t started leveraging the cloud because you don’t think you can get the visibility or control you need, it’s time to re-evaluate it – the scale, and the threat intelligence and new security capabilities it enables, are likely going to provide higher ROI than you can get on-premises.
  • Organizations should evaluate how the cloud will help them evolve to a “protect, detect, respond” security strategy. Evaluate Azure Active Directory Identity Protection, which is in preview right now.

The new Security Intelligence Report is available at

Tim Rains
Director, Security