The New Frontlines of Cybersecurity: Lessons from the 2025 Digital Defense Report [Microsoft Threat Intelligence Podcast]

CyberWire Daily: "The New Frontlines of Cybersecurity: Lessons from the 2025 Digital Defense Report"

Podcast: CyberWire Daily (Microsoft Threat Intelligence Podcast by N2K Networks)
Date: December 30, 2025
Host: Shera de Grippo (Director, Threat Intelligence Strategy, Microsoft)
Guests: Crane Hassold (Principal Security Researcher, Microsoft), Chloe Mistaghi (Senior Reporting Manager, Microsoft)

Episode Overview

This episode provides an in-depth discussion of the 2025 Microsoft Digital Defense Report (MDDR), exploring how AI and digital transformation are reshaping the cyber threat landscape. The panel deep-dives into key trends of the last year, including the industrialization of cybercrime, the dual role of AI as both a tool and a weapon in attacker hands, changing attack vectors, the continuing prevalence of financially motivated attacks, and the evolving tactics of nation-state actors. The conversation spotlights actionable insights for organizations seeking to fortify defenses in an era of rapid technological change.

Key Topics and Insights

1. Making the Microsoft Digital Defense Report (MDDR)

Scope & Process: Over 200 contributors worked for nearly a year, collating intelligence from across Microsoft’s vast telemetry—84 trillion security signals per day and data from 1.5 billion endpoints.
– “There are people who specialize in absolute niche, specialized, tiny little pieces of the threat landscape... That’s what is so fascinating about the Microsoft Digital Defense Report…” (Shera, 05:15)
Audience: Written to be accessible to everyone from policymakers to security researchers.
Purpose: To offer guidance during a period of radical transformation—especially due to AI and the speed of emerging threats. – “It’s lighting the room for those that are trying to figure out what to do about the situation.” (Chloe, 02:05)

2. Major Cyber Threat Trends in 2025

AI as Both Accelerator and Risk:
- AI is prominent on both sides—empowering attackers with sophisticated phishing, automation, and deception but also enhancing defense and detection.
- “If you think of the A in AI standing for acceleration, you’re probably going to get it. It makes everything much faster and bigger in scope and scale…” (Shera, 10:17)
- AI-generated phishing: 54% click-through rate, compared to 12% for standard phishing (Chloe, 09:32).
Threat Actor Adaptation:
- Attackers rapidly pivot from well-defended channels (like email) to newer, less-protected ones (e.g., Teams, WhatsApp, SMS).
- “Now they’re almost immediately pivoting to things like SMS or Teams or some other mode of communication...” (Crane, 07:18)
The Boogeyman Hype:
- While fear of AI-driven undetectable attacks is real, current designs remain within the spectrum of existing detection capabilities.
- “There’s this perception that AI is this really scary thing that the bad guys are using to launch... undetectable attacks. I think we need to step back and look at… how that actually factors into our ability to detect these attacks.” (Crane, 06:59)

3. The Financially Motivated Cybercrime Ecosystem

Dominance of Financial Motive:
- Over 90% of attacks on businesses are financially motivated; only about 4% are pure espionage (Chloe, 16:58).
- “Most crime threat actors generally don’t care if they get caught. Their prime goal is in order to achieve financial gain.” (Shera, 16:24)
Regional Specializations:
- Eastern Europe/Russia: Hierarchical, organizationally business-like actors behind technical, high-profile attacks (e.g., ransomware).
- West Africa/Nigeria: Informal, networked actors behind high-volume social engineering schemes (BEC, romance scams).
- Southeast Asia: Industrialized scams like “pig butchering”—large-scale investment fraud using long-form social engineering.
Industrialization & Specialization:
- Cybercrime is an ecosystem with access brokers, data brokers, coders, and operators all playing distinct roles.
- “A lot of these initial access broker gangs… don’t actually ever do ransomware. They just sell access to places where you could do ransomware if you wanted.” (Shera, 23:30)
Attack Vectors Remain Consistent:
- 80% of initial access is credential-based; vulnerability exploits are only 17% (Chloe, 25:18).
MFA Still Rules:
- MFA blocks 99% of attacks, yet password spraying and brute force are behind 97% of identity attacks (Chloe, 16:58, 17:34).

4. Targeting & Victimology

Top Targeted Sectors: Government, research, academia; these sectors are repeatedly targeted due to valuable dual-use identities.
- Academic identities, especially those used for multiple professional roles, are prime for credential-based compromise and lateral movement (Shera, 18:44).
Global Hotspots (Jan-Jun 2025): U.S., U.K., Germany, Israel (Chloe, 16:58).
Incident Response Trends:
- 79% of Microsoft’s incident response in 2025 involved data collection for resale or extortion, not nation-state espionage (Shera, 20:43).

5. Nation-State & Espionage Threats

Sectoral Targeting:
1. IT
2. Research/Academia
3. Government (Chloe, 26:02)
Country Focus: US, Israel, Ukraine top targeted nations (Chloe, 26:20).
Distinct State Actor Behavior:
- Russia: Leveraging existing cybercriminal infrastructure more than developing bespoke operations.
- North Korea: Notably infiltrating IT firms as remote workers—both espionage and revenue generation.
  - “North Korean state-sponsored actors [are] getting into IT companies as remote workers...” (Chloe, 26:29, 27:02)
- Motivations, missions, and even cultural nuances drive unique tactics per country; actors rarely share approaches.
  - “...there are a lot of like really interesting cultural components…that you likely would never even think about if you don’t actively put yourself in those shoes…” (Crane, 30:52)
Nation-State Use of AI:
- Rapid rise in AI-powered information operations: “AI twinning” (deepfake news fabrication), training data poisoning, voice cloning.
- 195% increase in use of AI forgeries, including deepfakes, to pass verification and enable fraud (Chloe, 33:01–34:34).
- Not all scary capabilities in research are seen in the wild—mission-driven state actors invest most heavily; crime actors mostly use commercial models (Crane, 35:25, 36:30).

6. The Resilience and Evolution of Social Engineering

Social engineering is perennial and omnichannel.
- “The same concepts that are used today in phishing attacks…are literally the exact same concepts that have been used for thousands of years to defraud people, to con people. The only difference is now the medium has changed…” (Crane, 40:11)
If email vanished, attackers would pivot: Threats will follow whichever platforms dominate communications, whether Teams, SMS, WhatsApp, etc.

7. Actionable Takeaways for Defenders

Awareness is Critical:
- “Just maintaining awareness of trends is important…thinking about…and becoming aware of something, even unconsciously, will help you recognize something in the future.” (Crane, 43:23)
Focus on Identity & Access:
- Do not reuse passwords/usernames; enable MFA everywhere; pay attention to federated logins.
Embrace Threat Intelligence:
- Reading reports like the MDDR is foundational for anyone serious about understanding or entering threat intelligence.
- “If you're looking to start in threat intelligence…start by reading reports like this.” (Shera, 44:43)
The Microsoft Digital Defense Report is Free:
- “$0 for this report. It’s a free report.” (Chloe, 42:58)

Notable Quotes & Memorable Moments

“If you think of the A in AI standing for acceleration, you’re probably going to get it. It makes everything much faster and bigger in scope and scale than it could be at human scale.”
— Shera de Grippo (10:17)
“An AI-automated phishing email can achieve a 54% click-through rate compared to just 12% for a standard attempt.”
— Chloe Mistaghi (09:32)
“Most of the attacks are for money. Espionage is like only 4%.”
— Chloe Mistaghi (16:58)
“Now you can pivot in so many different directions with just having someone’s credentials…that makes just a single username and password so valuable that it, it has really reshaped what we think of when we think of the cybercrime landscape today.”
— Crane Hassold (21:20)
“AI twinning is basically taking what you think would be like…CNN…then changing the content completely. But it’s giving a feel that looks exactly identical to what you’re seeing on CNN.”
— Chloe Mistaghi (33:22)
“North Korean state-sponsored actors [are] getting into IT companies as remote workers…doing the work…at an acceptable level of professionalism and doing the espionage to steal a variety of information, data, intelligence, and then using that paycheck to finance the regime.”
— Shera de Grippo (27:02)
“If tomorrow all email went away…The actors…aren’t just gonna be like, ‘Oh, okay, you got me, I’m done…’ They’re going to pivot to whatever the new communication mechanism is.”
— Crane Hassold (39:46)

Timestamps for Key Segments

| Timestamp | Segment/Topic | |-----------|---------------------------------------------------| | 00:00 | Introduction and scope of Microsoft report | | 02:05 | Report creation process (Chloe) | | 06:07 | Threat landscape trends: AI & communication shifts | | 09:32 | Effectiveness of AI in phishing (Chloe) | | 11:32 | Crime landscape: Geography & ecosystem | | 16:58 | Crime stats/targeted sectors (Chloe) | | 18:44 | Academia’s unique risk (Shera) | | 21:20 | Shifting value of credentials (Crane) | | 25:18 | Initial access: credentials vs vulnerabilities | | 26:02 | Nation-state threat focus, sectors & tactics | | 33:01 | Nation-state use of AI/deepfakes (Chloe) | | 35:17 | Crime vs. nation AI investments (Crane) | | 39:46 | The resilience of social engineering (Crane) | | 42:04 | Closing advice: read the report, stay aware |

Final Defender Takeaways

Read the MDDR: It’s free, accessible, and comprehensive—core to awareness for all roles.
Prioritize Identity Security: MFA and unique credentials remain highly effective against most attacks.
Stay Informed: Cyber threats evolve with technology; keeping up is crucial.
Remember Human Element: Most attacks succeed through behavioral manipulation, not technical wizardry.
Expect Adversary Adaptation: No channel is “safe forever”—defenses must follow user and attacker behavior across platforms.

For the full 2025 Microsoft Digital Defense Report, head to your favorite search engine (or Bing), and dive into the details!

CyberWire Daily: "The New Frontlines of Cybersecurity: Lessons from the 2025 Digital Defense Report"

Episode Overview

Key Topics and Insights

1. Making the Microsoft Digital Defense Report (MDDR)

Scope & Process: Over 200 contributors worked for nearly a year, collating intelligence from across Microsoft’s vast telemetry—84 trillion security signals per day and data from 1.5 billion endpoints.
– “There are people who specialize in absolute niche, specialized, tiny little pieces of the threat landscape... That’s what is so fascinating about the Microsoft Digital Defense Report…” (Shera, 05:15)
Audience: Written to be accessible to everyone from policymakers to security researchers.
Purpose: To offer guidance during a period of radical transformation—especially due to AI and the speed of emerging threats. – “It’s lighting the room for those that are trying to figure out what to do about the situation.” (Chloe, 02:05)

2. Major Cyber Threat Trends in 2025

AI as Both Accelerator and Risk:
- AI is prominent on both sides—empowering attackers with sophisticated phishing, automation, and deception but also enhancing defense and detection.
- “If you think of the A in AI standing for acceleration, you’re probably going to get it. It makes everything much faster and bigger in scope and scale…” (Shera, 10:17)
- AI-generated phishing: 54% click-through rate, compared to 12% for standard phishing (Chloe, 09:32).
Threat Actor Adaptation:
- Attackers rapidly pivot from well-defended channels (like email) to newer, less-protected ones (e.g., Teams, WhatsApp, SMS).
- “Now they’re almost immediately pivoting to things like SMS or Teams or some other mode of communication...” (Crane, 07:18)
The Boogeyman Hype:
- While fear of AI-driven undetectable attacks is real, current designs remain within the spectrum of existing detection capabilities.
- “There’s this perception that AI is this really scary thing that the bad guys are using to launch... undetectable attacks. I think we need to step back and look at… how that actually factors into our ability to detect these attacks.” (Crane, 06:59)

3. The Financially Motivated Cybercrime Ecosystem

Dominance of Financial Motive:
- Over 90% of attacks on businesses are financially motivated; only about 4% are pure espionage (Chloe, 16:58).
- “Most crime threat actors generally don’t care if they get caught. Their prime goal is in order to achieve financial gain.” (Shera, 16:24)
Regional Specializations:
- Eastern Europe/Russia: Hierarchical, organizationally business-like actors behind technical, high-profile attacks (e.g., ransomware).
- West Africa/Nigeria: Informal, networked actors behind high-volume social engineering schemes (BEC, romance scams).
- Southeast Asia: Industrialized scams like “pig butchering”—large-scale investment fraud using long-form social engineering.
Industrialization & Specialization:
- Cybercrime is an ecosystem with access brokers, data brokers, coders, and operators all playing distinct roles.
- “A lot of these initial access broker gangs… don’t actually ever do ransomware. They just sell access to places where you could do ransomware if you wanted.” (Shera, 23:30)
Attack Vectors Remain Consistent:
- 80% of initial access is credential-based; vulnerability exploits are only 17% (Chloe, 25:18).
MFA Still Rules:
- MFA blocks 99% of attacks, yet password spraying and brute force are behind 97% of identity attacks (Chloe, 16:58, 17:34).

4. Targeting & Victimology

Top Targeted Sectors: Government, research, academia; these sectors are repeatedly targeted due to valuable dual-use identities.
- Academic identities, especially those used for multiple professional roles, are prime for credential-based compromise and lateral movement (Shera, 18:44).
Global Hotspots (Jan-Jun 2025): U.S., U.K., Germany, Israel (Chloe, 16:58).
Incident Response Trends:
- 79% of Microsoft’s incident response in 2025 involved data collection for resale or extortion, not nation-state espionage (Shera, 20:43).

5. Nation-State & Espionage Threats

Sectoral Targeting:
1. IT
2. Research/Academia
3. Government (Chloe, 26:02)
Country Focus: US, Israel, Ukraine top targeted nations (Chloe, 26:20).
Distinct State Actor Behavior:
- Russia: Leveraging existing cybercriminal infrastructure more than developing bespoke operations.
- North Korea: Notably infiltrating IT firms as remote workers—both espionage and revenue generation.
  - “North Korean state-sponsored actors [are] getting into IT companies as remote workers...” (Chloe, 26:29, 27:02)
- Motivations, missions, and even cultural nuances drive unique tactics per country; actors rarely share approaches.
  - “...there are a lot of like really interesting cultural components…that you likely would never even think about if you don’t actively put yourself in those shoes…” (Crane, 30:52)
Nation-State Use of AI:
- Rapid rise in AI-powered information operations: “AI twinning” (deepfake news fabrication), training data poisoning, voice cloning.
- 195% increase in use of AI forgeries, including deepfakes, to pass verification and enable fraud (Chloe, 33:01–34:34).
- Not all scary capabilities in research are seen in the wild—mission-driven state actors invest most heavily; crime actors mostly use commercial models (Crane, 35:25, 36:30).

6. The Resilience and Evolution of Social Engineering

Social engineering is perennial and omnichannel.
- “The same concepts that are used today in phishing attacks…are literally the exact same concepts that have been used for thousands of years to defraud people, to con people. The only difference is now the medium has changed…” (Crane, 40:11)
If email vanished, attackers would pivot: Threats will follow whichever platforms dominate communications, whether Teams, SMS, WhatsApp, etc.

7. Actionable Takeaways for Defenders

Awareness is Critical:
- “Just maintaining awareness of trends is important…thinking about…and becoming aware of something, even unconsciously, will help you recognize something in the future.” (Crane, 43:23)
Focus on Identity & Access:
- Do not reuse passwords/usernames; enable MFA everywhere; pay attention to federated logins.
Embrace Threat Intelligence:
- Reading reports like the MDDR is foundational for anyone serious about understanding or entering threat intelligence.
- “If you're looking to start in threat intelligence…start by reading reports like this.” (Shera, 44:43)
The Microsoft Digital Defense Report is Free:
- “$0 for this report. It’s a free report.” (Chloe, 42:58)

Notable Quotes & Memorable Moments

“If you think of the A in AI standing for acceleration, you’re probably going to get it. It makes everything much faster and bigger in scope and scale than it could be at human scale.”
— Shera de Grippo (10:17)
“An AI-automated phishing email can achieve a 54% click-through rate compared to just 12% for a standard attempt.”
— Chloe Mistaghi (09:32)
“Most of the attacks are for money. Espionage is like only 4%.”
— Chloe Mistaghi (16:58)
“Now you can pivot in so many different directions with just having someone’s credentials…that makes just a single username and password so valuable that it, it has really reshaped what we think of when we think of the cybercrime landscape today.”
— Crane Hassold (21:20)
“AI twinning is basically taking what you think would be like…CNN…then changing the content completely. But it’s giving a feel that looks exactly identical to what you’re seeing on CNN.”
— Chloe Mistaghi (33:22)
“North Korean state-sponsored actors [are] getting into IT companies as remote workers…doing the work…at an acceptable level of professionalism and doing the espionage to steal a variety of information, data, intelligence, and then using that paycheck to finance the regime.”
— Shera de Grippo (27:02)
“If tomorrow all email went away…The actors…aren’t just gonna be like, ‘Oh, okay, you got me, I’m done…’ They’re going to pivot to whatever the new communication mechanism is.”
— Crane Hassold (39:46)

Timestamps for Key Segments

Final Defender Takeaways

Read the MDDR: It’s free, accessible, and comprehensive—core to awareness for all roles.
Prioritize Identity Security: MFA and unique credentials remain highly effective against most attacks.
Stay Informed: Cyber threats evolve with technology; keeping up is crucial.
Remember Human Element: Most attacks succeed through behavioral manipulation, not technical wizardry.
Expect Adversary Adaptation: No channel is “safe forever”—defenses must follow user and attacker behavior across platforms.

For the full 2025 Microsoft Digital Defense Report, head to your favorite search engine (or Bing), and dive into the details!

wavePod

Powered by Wave AI

Summary

CyberWire Daily: "The New Frontlines of Cybersecurity: Lessons from the 2025 Digital Defense Report"

Episode Overview

Key Topics and Insights

1. Making the Microsoft Digital Defense Report (MDDR)

2. Major Cyber Threat Trends in 2025

3. The Financially Motivated Cybercrime Ecosystem

4. Targeting & Victimology

5. Nation-State & Espionage Threats

6. The Resilience and Evolution of Social Engineering

7. Actionable Takeaways for Defenders

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Final Defender Takeaways

Summary

CyberWire Daily: "The New Frontlines of Cybersecurity: Lessons from the 2025 Digital Defense Report"

Episode Overview

Key Topics and Insights

1. Making the Microsoft Digital Defense Report (MDDR)

2. Major Cyber Threat Trends in 2025

3. The Financially Motivated Cybercrime Ecosystem

4. Targeting & Victimology

5. Nation-State & Espionage Threats

6. The Resilience and Evolution of Social Engineering

7. Actionable Takeaways for Defenders

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Final Defender Takeaways