Microsoft warns of AI-powered cybercrime surge and calls for stronger global defenses
In 2024, Microsoft found that in eight out of ten cybersecurity incidents it investigated, attackers attempted to access personal or sensitive data by using stolen login credentials. More than half of these breaches were motivated by profit rather than espionage, although state-sponsored groups continued to represent the most significant overall threat.
Microsoft’s Digital Defense Report 2025 warns that artificial intelligence (AI) is rapidly reshaping the cybersecurity landscape, giving both defenders and attackers new capabilities. The report finds that AI-enhanced cybercrime, identity attacks, and ransomware operations are accelerating at unprecedented speed, while human-operated intrusions and cloud-based compromises remain central to global risk/
According to the report, Microsoft’s systems process over 100 trillion security signals daily, revealing a global threat environment increasingly dominated by financially motivated actors. Only 4% of observed intrusions were driven by espionage, while most targeted government, IT, and academic institutions—sectors that hold vast stores of personal and research data.
The United States, United Kingdom, Israel, and Germany were the most frequently attacked countries in early 2025. Microsoft notes that ransomware continues to represent one of the most disruptive forms of cybercrime, with some campaigns able to cripple operations worldwide within minutes. A ransomware attack against a global shipping company was contained in under two minutes, a case Microsoft highlights as evidence of how swift detection can prevent systemic fallout.
AI is now being used by adversaries to generate deepfakes, phishing campaigns, and autonomous malware capable of adapting in real time to evade security controls. Microsoft warns that such tools blur the boundary between automation and human-operated attacks. The company also reports growing abuse of AI systems themselves, through techniques like prompt injection and data poisoning, which could lead to data leaks or unauthorised system behaviour.
The report highlights the surge of infostealer malware, such as Lumma Stealer and RedLine, which now serve as initial attack tools, collecting credentials later sold to ransomware affiliates. Between March and May 2025, India, Russia, and Brazil were among the most affected countries. Microsoft’s Digital Crimes Unit has been conducting coordinated takedowns against access brokers and cyber mercenaries that sell stolen credentials or zero-day exploits,
Nation-state operations also remain active. The report documents ongoing cyberespionage from China, Iran, and Russia, along with North Korean groups using remote workers to generate revenue. It also highlights the growing threat from commercial cyber mercenaries, who sell intrusion capabilities to governments and private clients, often targeting journalists and human-rights defenders,
To mitigate these risks, Microsoft urges organisations to adopt phishing-resistant multifactor authentication (MFA), expand incident-response planning, and share intelligence across sectors. The company identifies MFA as the single most effective defense, blocking over 99% of unauthorised access attempts,
The report concludes that AI is both a defensive necessity and a new target for attackers. As the line between cybercrime and state activity narrows, Microsoft calls for global cooperation, responsible AI development, and investment in “resilience by design” to secure the world’s digital infrastructure
