Microsoft Digital Defense 2024 Report Is Pretty Great
Microsoft recently released the 2024 edition of their Digital Defense Report (https://www.microsoft.com/en-us/security/security-insider/intelligence-reports/microsoft-digital-defense-report-2024 ). And it is the best Microsoft cybersecurity report I have seen. It may be the best cybersecurity report I have seen of any organization…and that is saying a lot because I helped to write many previous Microsoft Security Intelligence Reports when I worked for Microsoft years ago.
The only thing I do not like is its length: 113 pages!
But in those pages, there is great coverage of today’s threats, including who is doing them, how they are doing them, and what you can do to best mitigate them. It covers ransomware, nation-state attacks, access control token cookie theft (Microsoft’s recording 39,000 of these a day! Wow!), MFA bypass attacks, QR code phishing, DDoS attacks, social engineering attacks, and more.
I always scour any big report like this to see how they cover social engineering and phishing. I have long been covering the methods that allow hacking and malware to be so successful, and social engineering, and phishing have been the top cause…so far…since the beginning of computers. I have long pegged it as being involved in 70% - 90% of all successful data breaches (https://blog.knowbe4.com/70-to-90-of-all-malicious-breaches-are-due-to-social-engineering-and-phishing-attacks ).
Most reports back this data up, but some end up using bad taxonomy and mixing up the root causes of hacking and malware (e.g., social engineering, unpatched software, stolen credentials, etc.) with the outcomes of hacking and malware (i.e., ransomware), and underreport social engineering.
Microsoft did not, although they did not report percentages. Phishing is mentioned 107 times. On page 27, Microsoft states, "[For ransomware] The most prevalent initial access techniques continue to be social engineering—specifically email phishing, SMS phishing, and voice phishing—identity compromise, and exploiting vulnerabilities in public facing applications or unpatched operating systems."
On page 33, they write, "Concurrently, we’re observing a shift away from older hacking techniques in favor of methods like phishing and spoofing to compromise credentials and gain access to payment instruments." On page 34, they state, "Phishing remains a perennial cybersecurity threat."
What surprised me though was how prevalent QR code phishing has become. I have noticed a recent uptake in QR Code reported scams and more vendors having reports of it. But I had not realized exactly how prevalent it has become overall. As Microsoft shares in their report, it is now 25% of all email phishing (see their chart from page 34 below).
领英推荐
The future state, "QR code phishing, a technique now used widely to compromise user accounts at scale and create an entry point for business email compromise (BEC) attacks discussed later in this chapter, became widely used in targeted attacks against this sector as early as August 2023."
The report discusses what Microsoft has done to combat QR code phishing…very successfully I may add…and the different tricks QR Code phishers used to get around Microsoft’s newly installed defenses.
There are literally hundreds of newly reported facts, backed by huge data collection at scale to support what Microsoft is sharing about attackers and their attacks. But the best part of the report, and why I truly love it, is their recommended defenses.
They, of course, recommend employee education, especially in verifying content and being on the lookout for impersonated domains.
They are big believers in multifactor authentication (MFA), mentioning it 46 times in the report. Their biggest, most common recommendation is for admins to use PHISHING-RESISTANT MFA!
Note: All users should use phishing-resistant MFA, and not just admins, especially since most successful attacks start with a regular end-user. Why should they have less protection?
I am pretty sure that I was the first person in the world to use the phrase “phishing-resistant MFA”, but now it is pretty mainstream, with Microsoft, Google, NIST, and CISA regularly recommending it. In the report, Microsoft specifically says to move from weaker MFA to phishing-resistant MFA for better protection.
I think I have the only inclusive, comprehensive list of phishing-resistant MFA on the Internet. I could be wrong, but here is my list: https://www.dhirubhai.net/pulse/my-list-good-strong-mfa-roger-grimes .
Microsoft covers a lot of other topics including AI, AI deepfakes, Resilience, SIM swap attacks, FIDO Passkeys, data security, shadow IT, supply chain security, election interference, and more.
You can pick apart any vendor’s cybersecurity report, but I find Microsoft’s 2024 edition of their Digital Defense report to be among the best reports ever.