CyberWire Daily - The New Frontlines of Cybersecurity: Lessons from the 2025 Digital Defense Report [Microsoft Threat Intelligence Podcast]
Episode Date: December 30, 2025While our team is out on winter break, please enjoy this episode of The Microsoft Threat Intelligence Podcast from our partners at Microsoft. In this episode of the Microsoft Threat Intelligence ...Podcast, host Sherrod DeGrippo is joined by Chloé Messdaghi and Crane Hassold to unpack the key findings of the 2025 Microsoft Digital Defense Report; a comprehensive look at how the cyber threat landscape is accelerating through AI, automation, and industrialized criminal networks. They explore how nation-state operations and cybercrime have fused into a continuous cycle of attack and adaptation, with actors sharing tooling, infrastructure, and even business models. The conversation also examines AI’s growing impact, from deepfakes and influence operations to the defensive promise of AI-powered detection, and how identity compromise has become the front door to most intrusions, accounting for over 99% of observed attacks. Listeners will gain perspective on: How AI is shaping both attacker tradecraft and defensive response. Why identity remains the cornerstone of global cyber risk. What Microsoft’s telemetry—spanning 600 million daily attacks—reveals about emerging threats and evolving defender strategies. Questions explored: How are threat actors using AI to scale deception and influence operations? What does industrialized cybercrime mean for organizations trying to defend at scale? How can defenders harness AI responsibly without overreliance or exposure? Resources: Download the report and executive summary Register for Microsoft Ignite View Chloé Messdaghi on LinkedIn View Crane Hassold on LinkedIn View Sherrod DeGrippo on LinkedIn Related Microsoft Podcasts: Afternoon Cyber Tea with Ann Johnson The BlueHat Podcast Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts Get the latest threat intelligence insights and guidance at Microsoft Security Insider The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Welcome to the Microsoft Threat Intelligence podcast.
I'm Sherrod Grippo.
Ever wanted to step into the shadowy realm of digital espionage?
Cybercrime, social engineering, fraud.
Well, each week, dive deep with us into the underground.
Come here for Microsoft's elite threat intelligence researchers.
Join us as we decode mysteries, expose hidden adversaries,
and shape the future of cyber security.
security. It might get a little weird. But don't worry, I'm your guide to the back alleys of the
threat landscape. Hello and welcome to the Microsoft Threat Intelligence podcast. I am Sherrod DeGrippo,
director of threat intelligence strategy here at Microsoft. And today, we are diving in to the
2025 Microsoft Digital Defense Report. We're going to look at how AI and digital transformation
are reshaping cybersecurity. We're living through a
pivotal moment where threats are evolving faster, impacting everything from economies to public
trust. And in today's episode, we'll break down some of the key trends, the rise of
industrialized cybercrime, one of my favorite topics. And we'll talk about what organizations
can do to stay ahead. So let's get started and explore what is in the Microsoft 2025 Digital
Defense Report. To do that with me today, I have two fantastic guests, crane hassled, principal
security researcher here at Microsoft, and Chloe, Ms. Daggie, senior reporting manager who
leads MDDR. Chloe, Crane, thanks for joining me. Thanks for having us.
Great to be here. So the MDDR is something that is worked on essentially for a year.
And we pull in data and commentary, opinions, intelligence reporting, all of these things
from across Microsoft to get it out to the people.
Chloe, can you kind of tell me what that process is like?
The process, believe or not, yes, it takes up to a year.
We had about 200 contributors for this year's MDDR.
But the most incredible thing is all this knowledge that comes in into this report
and then having to write it in a way that anyone can understand it.
So if you're a policymaker, you can understand it.
If you are a CISO, you can understand it.
If you're an executive, you can understand it.
If you're a security researcher, you'll definitely be able to understand it.
So basically we set up the scene for that.
And what we're trying to do is, as you mentioned, Sharon, is that we're going through quite an interesting time.
And because of we're going through interesting times, we're also going through in the dark.
We're trying to figure out what do we need to do.
How do we stay safe?
How do we secure things?
when everything's changing, especially with AI.
And that's what this report does.
It's lighting the room for those that are trying to figure out what to do about the situation
and help provide that guide for them.
It's really an interesting process.
This is my third one at Microsoft that I've been through.
And I know, Chloe, you're new.
This is your first one.
Crane, is this your first or second?
This is my first.
Okay, tell me how it feels.
What's it like?
So one of the things that I really enjoyed about sort of contributing to the report this year is, you know, at Microsoft, we really get a really good understanding about how complex the overall cyber threat landscape actually is, right?
So it's not like we just have access to and just have insights into email-based threats, but we also have access into endpoint and teams and cloud-based apps and all of these different things that cyber threat actors are sort of using.
different components of this landscape in various different ways.
And what's really interesting is to see
how they're pivoting from one thing to another,
you know, when it comes to pivoting from email
over to teams for things like spam bombing
or how BEC attacks and how provincial fishing
leverages email-based attacks and pivots that into
different other cloud-based accounts
and leverages those for different ways.
Like the complexity of that landscape
it really, you really get to see when you're working on this report?
I've worked on it a couple of times now.
And some of the things I think that people might be interesting to know,
there is a team who works on this almost all year long.
So there's dedicated people at Microsoft who are constantly gathering this.
And I'll be in threat landscape meetings.
And every once in a while, somebody will pop up and say,
oh, we should add that.
We should add that to the digital defense report.
We should add that.
So it's something that Microsoft is always thinking about,
internally. And I also think it's important to hear from Crane and Chloe about where this
data comes from. So Microsoft has 84 trillion security signals coming in a day. We have 1.5 billion
endpoints. That endpoint number really blows my mind in terms of the breadth and depths of visibility
that Microsoft has into the threat landscape. I also think that it's really interesting when we
build this report that we go get these experts from across the company who, for those of you who don't
know, I still consider myself very new to Microsoft. I'm coming up on three years, but it still seems
very new to me. There are people who specialize in absolute niche, specialized tiny little pieces
of the threat landscape and tiny little pieces of data. And that's really, to me, what is so
fascinating about the Microsoft Digital Defense Report every year is that you've got top of the
experts in the tiniest little specializations giving you the view of what's going on.
So let's talk about the landscape a little bit.
Crain, what are the threats that you're seeing highlighted here?
And what's going on in terms of like what we've seen in the past year?
What are some threats that you found to highlight?
I think some of the really interesting components of the threat landscape that, you know,
we saw a little bit before, you know, the past year, but we're really starting to see it in full effect.
more recently are, I guess, are two things. One is the way threat actors are leveraging AI,
Gen AI, LLMs, and their attacks. And what that means for detection and protection of customers.
And I think that, you know, when we look at that, there are some, there's like a boogeyman of
AI that's out there that everyone thinks that AI is the sort of silver bullet.
Is that why the Microsoft Digital Defense Report comes out in October?
because it's spooky?
You know what?
Perhaps.
I didn't even think about that.
Haunted computers.
I don't know.
Yeah, these computers definitely have ghosts inside them.
Yeah.
But so, you know, there's this perception that AI is this really scary thing that the bad guys are using to launch just insanely
realistic, undetectable attacks.
And I think when it comes to those types of attacks and what we do.
seen, I think we need to step back and look at, hey, yes, AI is certainly being used by the bad
guys in certain different ways, but what does that actually mean? And how does that actually
factor into our ability to detect these attacks? And we can get into that in a little bit more
detail if you want. But then the other side of it is the way that threat actors are pivoting to
non-traditional modes of communication in their attacks. You know, we have previously seen
this trend where, you know, email has always been the number one initial attack vector for most
cyber threats. And many times in the past, if you go back maybe two or three years, it sort of
really just stayed within the email sphere. Now we're really seeing these threat actors pivoting
from email still is the number one attack vector. But now they're almost immediately pivoting to
things like SMS or teams or some other mode of communication WhatsApp for some companies in places
like Europe where WhatsApp is used more commonly for business purposes. That pivot is also really
interesting because they're trying to get off of these platforms where we have built detection
mechanisms for decades and we've gotten pretty good at it. And now they're trying to move on to
other platforms where that detection really isn't as controlled. So I think those are the two
primary trends that really stuck out over the past year that have really come, you know, into
full effect? Yeah, I think that's something I've noticed too, is that if you're going to use
social engineering, which, hey, it works. Why would you not use it? We see that a lot of threats
kind of either leverage social engineering as a foundation or they sprinkle it in somewhere
to kind of make things easier on themselves. And that means that every means of communication
whether it's email, teams, SMS, fax machines, letters in your mailbox,
whatever it may be when people can communicate with you,
they have the ability to leverage social engineering a threat actor does.
Chloe, let me ask you, what did you see in the report that kind of stuck out
in terms of trends or things that are happening?
I would definitely say that AI can be a benefit and it could be a vulnerability.
I would say, you know, basically what you shared in.
And also Crane, for example, an AI automated efficient email can achieve a 54% click-through rate compared to just 12% for a standard 10.
So if you think about that's 4.5 times an improvement.
Because now, you know, you won't see the spelling issues.
So people are more likely to click on it.
Also, you're going to have better graphics in there.
You're going to have things that are going to be more replicated that look identical to something official.
So this becomes kind of scary because it's still the way in many times to get into an enterprise.
I think that's interesting.
And I think that looking at threat actors using AI for the past couple of years,
they're really using it similarly to how you and I use AI research and building and cleaning things up and getting code started.
I always tell people I am not a software developer, I'm not a software engineer.
But every once in a while, I need to do some of that work.
I need to write scripts or I need to build something really quickly or I need to understand a piece of code.
And AI is really helping people at my level get that down, get that done.
And so threat actors, of course, are using that as well.
And I think the thing that I really like to tell people, I say a lot, is that if you think of the A and AI standing for acceleration, you're probably going to get it.
it makes everything much faster and bigger in scope and scale than it could be at human scale.
So I think that, you know, AI is making people faster.
It's enabling things to go faster, including the threat actors.
We'll talk cybercrime, and then we'll go into nation state.
So Crane, anything interesting sticking out for you in terms of where the crime landscape
and the financially motivated landscape is going.
Yeah, I mean, so the financially motivated landscape is really where I've lived and focused.
for the past 10 plus years.
Because it's better.
I just say that it's a little bit better.
I mean, it's really more.
When people admit that it's better, it makes my heart sing.
A little rainbow just popped over my head.
I mean, when you think about the fact that it's about, you know, 90 plus percent of
attacks that most businesses see every single day are going to be financially motivated
in some sort of way.
And, you know, a very small percentage of attacks are really just mission-oriented state
actors, I think financially motivated attacks have easily the biggest impact to the global
third landscape every single year. And so when it comes to financially motivated attacks,
I think what's really interesting is, to me, is seeing how it differs based on the geography
of where the threat actors are coming from. And it's most people, I think, when they think of
cybercrime, they probably think of Eastern European Russian threat actors that are, you know,
sending out ransomware campaigns and absolutely those are actors that are out there and what's
interesting is that they are very very business like it is very much a business and has a relatively
structured hierarchy from top to bottom and a lot of the more technically sophisticated attacks that we
see that are financially motivated on a day-day basis are coming from eastern europe and russian
actors. But then when you pivot to some of the more voluminous attacks that we see, things like
business email compromise, right? So the pure social engineering attacks that are pretending to be
the CEO of a company or, you know, a supposed vendor asking for a wire transfer to a to another
account, you know, those are generally going to be coming from other locations. So West Africa,
Nigeria is the big hotbed for BEC attacks, even though we have sort of to see that spread out
a little bit more. But when we look at those actors, those actors are very different, structured
very differently than the more traditional cybercrime actors, where there is very little
structure and hierarchy to the way that they work together. They're usually going to be
sort of individual actors that are working with some people one week, some people another week,
and you have specialties where you have actors that are doing certain types of things like
collecting, getting the mule accounts
that are being used to receive
fraudulent funds, and then you have the guys
who are responsible for actually sending out the spam
campaigns. And then when you have
things like, like, didn't you talk about places like
Southeast Asia, where, you know,
a lot of people probably heard about the pin
butchering attack,
which the name is
one of the worst names for a cybercrime
that has, in my opinion,
that has been developed for each other.
It's so gross. Oh, it's terrible.
I just really quickly want to recommend to everyone
if you want a fantastically interesting, riveting look at pig butchering and you've only got an hour,
John Oliver on last week tonight. Did you guys see that? Oh, I saw that. That was so good.
It's so good. I mean, you will be riveted watching that, especially if you're in threat intelligence or
information security. If you work in these fields, watching how operationalized and industrialized pig butchering is.
and pig butchering is essentially long-form social engineering in order to get some kind of
financial payoff. Cray, do we consider romance scams part of pig-butchering? Are they the own?
It's its own type of thing. Romance scams are really a, that's a primarily a West African
sort of style attack. It's been around for, I mean, 30 years at this point in full effect.
But in many cases, those are intermediate, that's an intermediate scam to get to something else.
So a lot of romance scam victims get pivoted into other types of scans or using their accounts for to receive fraudulent funds.
But when you get to pig butchering, you're right.
It is very industrialized.
Again, the structure is very different where you have a very small number of people at the top of these hierarchies
and then a massive amount of people at the bottom that are doing the day-to-day, running the day-to-day scams in warehouses and things like that.
And a lot of that is, a lot of the purpose for that is to, you know, investment scams are the big sort of component to those where they're trying to get people to get invest, you know, to make investments in things like cryptocurrency, and then they get scammed that way.
So when you look at sort of the global nature of cybercrime, it's everywhere, but you can really start to see where different trends are emerging from and how that impacts what we see on a day-day basis.
Chloe, anything you want to share in terms of the crime or financially motivated landscape,
that's, to me, the one where the really creative TTPs usually are.
That's where, let's be honest, most crime threat actors generally don't care if they get caught.
Their prime goal, the action that they're taking is in order to achieve financial gain.
So they don't really care where it comes from, and thus targeting is much more squishy than nation-sponsored threat.
Chloe, anything that you want to mention about the cybercrime landscape that comes out of the new report?
Yeah, like Crane stated is that mostly attacks are for money.
Espionage is like only 4%.
So if you think about that, yes, it's money-driven.
And 33% of the instance involved in financial extortion as well.
The one thing that we definitely noticed was that adversaries have been using well-known initial access routes.
It hasn't really changed, if you think about it.
They're still using the same routes that have been around.
However, I would say that, you know, certain things have also changed in the number of attacks.
When we think about, you know, targets for access to data, we see government is top this year, IT was second, and third was research in academia.
And then if we look at when we think about countries are most impacted by cyber threats from January to June 2025, you have the U.S.
you have UK, and they have Germany, and then Israel.
And when we think about, you know, how are our threat actors?
What are they doing right now?
They're logging in.
They're logging in now.
So if you think about it, you need to protect your identity.
Identity access is something you have to really focus on.
So having MFA, honestly, if you have MFA, 99% you will be safe.
So if you think about it, something so easy as that can do such a huge difference.
The other thing I would end with on that front is that when we think about identity attacks,
97% of those were from password sprays or brute force attacks.
And then when we think about compromised signals by sector for identity,
we're looking at research in academia played a huge situation this year.
I think that the targeting is really interesting because a lot of those that work in academia
have two jobs.
What is the thing you always hear people complain?
Oh, I can't make any money as a professor.
I have to do X, Y, Z as well.
And many of them do.
So some of them write books.
Some of them teach at other universities as well.
Some of them have podcasts that they monetize.
But a really common thing is for academics who have a professorship or they're an emeritus
or something like that where they're not making a full livable wage teaching.
That's a discussion for a different podcast.
they tend to get jobs in their specialties.
Now, imagine somebody who is a physics professor,
teaches at a prestigious technical university,
and also works maybe in the defense industrial base,
maybe also works at a law firm
because they're illegal, they're in the law school.
The things that those people know
are valuable to the school,
and their identity is valuable for their other roles.
So if you can compromise the identity
that they use to teach under, their dot edu,
you can usually use that to pivot over to the role that they use for their business,
whether that's in a law firm or in a teaching hospital or in technical concerns that might be
really sensitive.
So I think that's really where academia needs to shore up some of its defenses, is thinking
about these people who have these dual roles.
They're not just teachers.
And those.edu accounts are really important to protect.
Before we go to nation-sponsored, I just want to mention this stat that was in the report that I find
not only interesting to me, but also really justifies my obsession with the crime landscape,
which is that 79% of Microsoft's incident response engagements are data collection for resale or extortion.
So those are not nation-sponsored threats that are doing that.
That is the crime landscape.
And I think it's important to remember, as we enter this world of
AI, those big data dumps, even the ones that are multiple years old, those big breach dumps
are going to become more valuable than they were because 8 terabytes of data three or four
years ago was a multi-person huge slog. It was a nightmare. Eight terabytes of data to search
through today is as easy as asking LLM what's in it using natural language. So remember that
those data breaches from before are just as dangerous, if not more, today than they were when
they first happened. And I also think that it also really highlights the fact that initial access
is the main focus for attacks today, because now you can pivot in so many different directions
with just having someone's credentials and do so many different things that it's very different
than what it was, like, 10 years ago.
When you think of, like, take credential fishing, for example,
10 years ago, when most people saw a credential fishing email,
it was probably for their bank.
Like, they were probably trying to get their log-on credentials
to hack into their bank account
and just take money directly out of their bank.
What we started seeing about, what, about eight years ago,
seven years ago, was that that entire credential fishing landscape changed.
It was about the same time when ransomware,
enterprise-focused ransomware came onto the scene,
where you've started seeing enterprise credentials being easily the number one target for cybercrime actors
because not only are you getting access to someone's email, which is a treasure trove of a potential intelligence,
but also you can move to using that trusted valid account to send additional fishing campaigns,
massive fishing campaigns to other people.
You can then pivot into the cloud and steal sensitive information or data that way.
hold it for ransom or sell it to someone else, you can do so many different things that
makes just a single username and password so valuable that it has really reshaped what we
think of when we think of the cybercrime landscape today. Can I just add one thing to that?
To anyone who's listening, if you have family and friends, chances are they're probably using
the same username, right? So this is why it's so important is do not use the same password.
At the end of the day, when you have those two together and you don't have MFA or MFA is not offered on whatever website you go on, at least change your username to.
That's the thing we tend to forget is also usernames are usually reused so many times that when we come to guessing passwords, it becomes a lot easier.
And if you don't have MFA, you're out of luck.
I like to tell people, especially those that are not in the industry, those just kind of, you know, those friends that we all have.
who are like, hey, Sherrod, you do the computers, right? And I'm like, yeah, I do. You know,
they ask, well, should I do this MFA thing, et cetera? And I'm like, well, any accounts that you
wouldn't want your ex-girlfriend or your ex-boyfriend to get into, yeah, you should. Not because
they're trying to hack you, but because that should be the level of concern is everything.
You should not want anyone in any of your stuff, especially things like social networks,
especially things like obviously your email, especially things like federated logins.
You know, you go to log into a new site or something, and it's like you can create your own
username and password, or you can log in with your existing whatever account, your existing Apple,
you're existing Google, your existing Amazon, existing Facebook, on and on and on.
Be really, really careful with those federated logins and make sure that you've got MFA turned on.
One last thing that I want to remind everyone about when it comes to crime,
is that it really is an ecosystem. It's not just threat actors doing ransomware. It is
facilitators and data brokers and access brokers and coders and people who like a lot of these
initial access broker gangs, they don't actually ever do ransomware. They just sell access to
places where you could do ransomware if you wanted. And I think that that's a great example of how
a lot of these ecosystems work, which is there are people doing little pieces, and they aren't
all doing ransomware. In fact, only a few groups are really doing the ransomware aspect, and
none of them from what we have seen are doing it alone. They're all depending on that entire
ecosystem. Yeah, we did see that with access brokers this year, like the top initial access
vectors were credential-based attacks, which is 80%, and then vulnerability exploitation,
which is 17%, and that's the second one.
So just to highlight what Chloe is saying,
loans only make up 17%.
The rest of it is logging in, social engineering,
things that are, frankly, harder to detect in many ways
because they involve some sort of credential access
that's just a login.
Okay, let's talk nation-sponsored and espionage.
What are we seeing on the threat landscape
when it comes to nation-sponsored threats,
and how does that look?
I would say that for this year,
when we look at the overall picture of nation-states,
the most targeted sectors was first IT,
then research in academia, and then government.
And then the top activities levels observed
was U.S., Israel, and Ukraine.
And are we seeing any particular trends
in terms of tactics or things that nation-sponsored
threat is leveraging lately?
Well, I would say, for example, Russia,
we noticed that there was a reduction in developing
beast folk operations, and they're more
leveraging the current cybercriminal ecosystem.
So we saw that.
And then with North Korea, we have definitely seen
an increase of remote workers.
We've probably seen it on the headline news
this year, but we have seen
North Korean state-sponsored actors getting
into IT companies as remote workers.
So that's something to think about.
That's something we've been tracking for probably the last year or two years.
North Korean IT workers are getting jobs at regular companies, doing the work.
That's always the thing that strikes me as so strange, is that they aren't just getting
the jobs doing espionage and disappearing.
They're getting the jobs, getting the access, doing the work.
They are assigned at an acceptable level of professionalism
and doing the espionage to steal a variety of information, data, intelligence,
and then using that paycheck to finance the regime.
Yeah, that's the thing. People forget.
It's also a revenue generation at the end of the day.
So I find those attacks to be fascinating.
And for the same reason that you do shared,
it's a really good example of the difference between...
state actor, mission-oriented attacks, and financially motivated attacks.
Because you would never, ever see a financially motivated actor doing that
because there's no profit in it, right?
The profit margin goes down.
With mission-oriented attackers, it doesn't matter how long or how many resources
or how much money it takes to fulfill the goal.
You're going to fulfill the goal.
That's the entire endgame of it, regardless of how much time or effort it takes.
And so if you, if the goal is to make money to try to get money for a, you know, a state nuclear program, right?
If my entire goal is to do that and my supervisor, supervisor tells me that's what I have to do, that's what I'm going to do.
And I'm going to go get a job.
I'm going to go make money like anyone else does.
And then when they tell me that, okay, now you have to do this, now I'm in the place to do it.
And it's like that for most mission-oriented attackers that we see when it comes to state actors out there.
It really drives home the point that motivation really matters when it comes to these nation state actors because this is where threat intelligence comes into play.
It's about understanding, am I the potential target of these actors that are going to spend an inordinate amount of time and money.
to try to impact me, am I on their radar?
Realistically, very few businesses around the world
are probably going to be on the radar of most nation-state actors,
but those that are on the radar,
it is extremely important to understand and keep up the date
with what you may see coming from those actors.
Yeah, for the ones that, so we looked at China, Iran, Russia,
North Korea this year. And each sector that they focus on is different. If you think about like
the list, they're different. The targeted countries are different. They're not in the same order.
They're unique and different. Yeah, I think that we have to look at each nation, especially of those
top four as their own missions and objectives and what they're doing. And for, you know,
there's not a lot of people. I, obviously, I work in Mystic,
Microsoft threat intelligence. There's not a lot of people that cover all of them. There are very
few that are working the landscape from every threat actor group all day, every day. It's very
rare just because people specialize on one. But it's interesting when you start asking the specialists
on each different country, what those tactics look like. They are really quite different.
And I think people wishfully hope, oh, they'll be copycat. They'll share data. This country
we'll work with this country. We just really don't see that.
So back of the day, before I was in the private sector, I worked with the FBI for more than 11 years.
And a lot of that I spent in the behavioral analysis units and looking at cybercrime from a behavioral component and not a technical component.
And what was really interesting is we came up, we saw the exact same thing is understanding how to analyze the behavior from a Chinese-based nation.
state actor, two, from a Russian state actor, from a U.S.-based financially motivated actor,
not only are they different based on their missions and objectives and motivation,
but also there are a lot of really interesting cultural components to that as well that come
into play that you likely would never even think about if you don't, like, actively
put yourself in those shoes and sort of step back and say, hey, you know, I'm usually I'm looking at
Nigerian BEC actors.
Now I'm looking at
some sort of attack that came
from a potentially
Chinese actor.
I've got to think about those attacks
from a very different perspective
because a lot of what we see
is influenced by non-technical
things that you really don't think of
when we think of a cyber attack.
One of the things that's really interesting
working on the Microsoft threat intelligence team
is we have language specialists
and culture specialists that will get
into underground forums.
that will look at code, that will understand how the threat actors are communicating with each other
amongst their own team, what these things mean. Some of our analysts have shown me new kinds
of slang that I never heard of before. And they're like, oh, yeah, it doesn't really translate
exactly, but, you know, Megadoc means whatever that this about the time. And I'm, you know,
I just can't believe that we have people that are tracking and specializing in understanding
that threat actors culturally. And from a language perspective to that degree, it's really interesting.
So, Chloe, I know that you have some really interesting data around how nation-sponsored threat is using AI.
What are they doing with it?
What's the objectives?
How are they leveraging AI out there?
Yeah, great question.
I'd say that in the last six months, we've seen AI use and influence operations have picked up incredibly aggressively.
And we're seeing that in AI tweeting.
We're also seeing that in training data, poisoning, and voice cloning and masking at this time.
time. And what is AI twinning? AITWINN is basically like taking what you think would be like, give
example, CNN, right? You're watching a CNN post and giving an update on the latest news or breaking
story. AI twinning is basically taking that, but then changing the content completely, but it's
giving a feel that looks exactly identical to what you're seeing on CNN. And what is the objective there to
disseminate information that goes with influence operations? Yeah, it's basically
is to, you know, change perceptions. So, you know, a lot of misinformation, disinformation,
campaigns at the end of day. I think another point to mention about AI is that the report
says that deep fakes and just generally AI generated identities are being used to pass
verification checkpoints and that there was a hundred and ninety five percent increase in the use
of AI forgeries, which includes deep fakes and things like that. So those synthetic identities
are growing in use. It's becoming easier and easier to create fake personas that are super
convincing, which means authentication is a lot harder and fraud is a lot easier. Absolutely.
And it is definitely a growing pain, especially, I don't know if you all remember, but it was
in 2024, at the beginning of 2024, that there was a case in Hong Kong where a threat actor
basically did a deep fake of a CFO for a company and got their financial worker employee
to think that it's actually their CFO and then basically sent 25 million over.
These are things that are happening.
These are things that we have to be very concerned about.
And, you know, it's something, you know, we're entering a new era, you know, with the use of AI.
And we're going to see more of this kind of stuff happening probably.
And it makes it easier for threat actors because they can operationalize that, like they operationalize everything else.
And they can do it at scale.
Exactly.
And I also think that it's really important to separate what is possible with what is practical when it comes to most threats out there,
especially when it comes to AI, for influence operations that are going to be coming from
state actors, mission-oriented actors, again, they have the means and the motivation to really
leverage AI to its fullest potential, I think. They're the ones who can invest in building their
own large language models, LLMs, to really focus what they want AI to do for them. Most
financially motivated actors that are out there are simply going to be using what's off the shelf
to make their jobs a little bit easier from a day-to-day perspective.
So when it comes to deep fakes, when it comes to all these things that we know,
if we go to Blackadder DefCon every year,
there's always something new on AI that sounds really, really scary.
But at the end of the day, for all practical purposes,
you're likely never going to see that in the wild
because no one's going to invest that much effort or energy into making that come to fruition.
unless they are trying to fulfill a very specific mission and have the time to do so.
Finanical motivated actors likely aren't going to do that.
And even when you come to that, you know, the example that you were talking about in Hong Kong, right?
In that case, my assumption, while I don't know too much about that case, my assumption is that
actually was not, while it was a financially motivated act, it may not have been really financially
motivated active.
Interesting.
I think that ability is something that technologists like a,
us have to think further down the road, what will it be like? What are we going to see? And then
compare that to the reality of what we're seeing today. I think that getting really wild with
tabletop scenarios and threat modeling can be fun. But also when it's not based off of reality,
that's why we talk so much about what's in the wild. Are we seeing this really being leveraged
by threat actors or are we not? And that's where things like in the wild come into play. But I think
knowing where threat actors are today, knowing what the potential is, and then trying to
to look down the road to be realistic about what can happen. I did see something, too, in the report
that fishing driven by AI is three times more effective than the traditional way. And I have a
feeling that's just going to increase. If I will interject, because this is like my soapbox,
to be honest with you, if it reaches its target, it is more effective.
If it reaches targets. Okay, I love that. And I think that's logical. Like, if you see a lot of the
the stuff that's coming out and you see what's generated in some of these phishing emails that we
detect on a daily basis. They look really good and really realistic. And it takes very little
energy to be able to develop those because of what's out there today with sort of off-the-shelf
commercial GI models. But when we look at how we detect those attacks, whether it's
looking at the infrastructure that they're coming from, understanding their relationships
between the recipient and the sender,
understanding just the general context of the message itself,
and putting that all together,
AI doesn't really influence a lot of the methods
that we use to detect those attacks.
And so AI does not necessarily make it harder to detect a fishing attack,
but if it makes it to its target, it will likely be more impactful.
And I always equate this to, you know, a tree falling in the forest, right?
If a phishing email is generated using AI, but never reaches its target, doesn't make a sound.
I equate to that because this goes back to thinking that AI is this really scary silver bullet,
and it's really not.
There are, while it can be used very effectively in a number of different ways, maliciously,
there are, it really doesn't apply to a lot of the components of a special email-based attack.
that we use to prevent or detect them.
That leads me to a question that I'd love to ask people,
especially those who work in email,
which Crane, I spent, like,
I got a lot of gray hair from my email time.
I know you did too.
Should we stop using email?
I don't think it matters, to be honest with you.
I think that because most of the attacks are financially motivated,
and most of the most attacks today initiate or initiated through email,
if tomorrow all email went away and we were like,
we're just, no one's ever using email again.
And the actors that are out there that are making money off those attacks
aren't just going to be like, oh, okay, you got me.
I'm done.
I'm going to go, I'm going to go away now.
We solved crime.
Yeah, we're just going to go do legitimate stuff now.
No, they're not going to do that.
They're going to pivot to whatever the new communication mechanism is.
And it's always back to social engineering, right?
So the same concepts that are used today in fishing attacks
in other sort of social engineering attacks
are literally the exact.
Exact same concepts that have been used for thousands of years to defraud people, to con people.
The only difference is now the medium has changed, and that's email.
If email went away, it would go to Teams or SMS or WhatsApp or Telegram.
It's not going to disappear.
The same actors that were using email are just going to pivot to wherever we go next.
So unless we just stop talking to each other, which I don't think is going to happen,
you know, the issue will just continue on.
So what you're saying is for those of you who are listening out there,
no, you can't get rid of email.
You still have to, you still have to use your email.
You still have to check your email.
But I always love for people to just take a step back
and think about the differences between their personal and their work email
and how they basically don't use personal email anymore.
It has been sort of pushed to the way aside by things like SMS
and various chats and signal and Instagram DMs and all.
of these different platforms that we have that are better featured, more secure, have identity
verification, and authentication, things like that. So, you know, personal email has kind of fallen
off. Maybe work email will go the same way. We'll see. I'll hope for it. Crain, Chloe,
thank you so much for coming and giving us kind of a preview into all of the different things
that are in the Microsoft Digital Defense Report. I'll just ask each of you as a closing question.
I'll start with you, Chloe. What do you think defenders need to know? What can they do?
to kind of protect themselves from some of these threats?
This is going to come off very marketing,
but I would say read the report.
Read the report.
I think we made it really easy for no matter like how you're,
your type of reader you are.
If you're one of those people that just wants to like get to the highlights,
the points,
we have key takeaways in every section.
So you can just go there to find what page you need to go.
But if you're one of those people that likes to read from the very beginning
all the way to the end,
this reports for you too.
There's also a glossary, so if there's ever any terms, so you're like, I'm not too familiar with.
There's a glossary there.
So we really try to make it really accessible for everyone to read.
And I do highly recommend checking out this year's report.
So question on that.
Chloe, you know, I'm on a budget.
I'm just wondering, how much does this report cost?
What are the prices?
Oh, wow.
You know, you got to take out your checkbook and take away then.
And then it's zero.
It's zero.
You just go to it.
So, dollars for this report, it's free?
It's a free report.
It's a free free.
That's incredible.
I don't know how we do it.
No, it's no good, right?
Yeah.
So you can go get the Microsoft Digital Defense Report for free.
Right now, it's available.
Just go to your favorite search engine, which is Bing, and, you know, just search it up.
And you'll get the 2025 Microsoft Digital Defense Report.
Crane, what do you think defenders need to know?
What would you like to leave them with?
So I agree with Chloe.
I read the report.
If nothing more than just maintaining awareness of what is actually,
happening out there and what the trends look like in the general threat landscape is important.
And in the fact that sort of primes your brain to look out for potential attacks.
You know, I'm actually reading slash listening to a book right now that's all about sort of
the understanding information and system one and system two behavior and stuff like that.
And just thinking about and becoming aware of something, even unconsciously, will help you
recognize something in the future. So just maintaining awareness of trends is important for
that. And then also, when it comes to cyber threats, recognizing that they aren't, in general,
they aren't these really technically sophisticated things that are out there. It is almost all
cyber threats, at least initially, are all about exploiting human behavior. There's very little
technical sophistication behind them. That's usually what comes second. But what comes first is all
about behavioral manipulation and understanding that is really the key to understanding how
cyber threats sort of will occur and what you'll actually see when it comes to those.
It is really important and sort of decoupling the fiction from reality when it comes to
cyber threats.
I love that.
Thank you both for being here.
I'll leave my final point.
I get asked all the time.
It's one of the top questions people ask me.
They say, share it.
I want to get into threat intelligence.
what do I need to do? Where do I start? How do I get into it? You start by reading reports like
this. So if you're looking to start threat intelligence, incorporate more threat intelligence
into your daily work, regardless of what your role is, one of the places that you need to start
is reading reports of this type. Crane, Chloe, thank you so much for joining me on the Microsoft
Threat Intelligence Podcasts, and I hope to have you back soon. Thank you. Thank you very much.
All right, everyone, go check out the Microsoft Digital Defense Report for 2025
and hope you find out some new interesting information about threat actors in there.
Thanks for listening to the Microsoft Threat Intelligence Podcast.
We'd love to hear from you.
Email us with your ideas at TI Podcast at Microsoft.com.
Every episode will decode the threat landscape and arm you with the intelligence you need to take on threat actors.
Check us out, MS Threat Intel Podcast.
Podcast.com for more and subscribe on your favorite podcast app.