The New Frontlines of Cybersecurity: Lessons from the 2025 Digital Defense Report

Sherrod DeGrippo: Welcome to "The Microsoft Threat Intelligence Podcast." I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week, dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. But don't worry, I'm your guide to the back alleys of the threat landscape. Hello and welcome to "The Microsoft Threat Intelligence Podcast." I am Sherrod DeGrippo, director of threat intelligence strategy here at Microsoft, and today we are diving into the 2025 Microsoft Digital Defense Report. We're going to look at how AI and digital transformation are reshaping cybersecurity. We're living through a pivotal moment where threats are evolving faster, impacting everything, from economies to public trust, and in today's episode we'll break down some of the key trends, the rise of industrialized cybercrime, one of my favorite topics, and we'll talk about what organizations can do to stay ahead. So let's get started and explore what is in the Microsoft 2025 Digital Defense Report. To do that with me today, I have two fantastic guests, Crane Hassold, principal security researcher here at Microsoft, and Chloe Messdaghi, senior reporting manager who leads MDDR. Chloe, Crane, thanks for joining me.

Chloe Messdaghi: Thanks for having us.

Crane Hassold: Great to be here.

Sherrod DeGrippo: So the MDDR is something that is worked on essentially for a year, and we pull in data and commentary, opinions, intelligence reporting, all of these things from across Microsoft to get it out to the people. Chloe, can you kind of tell me what that process is like?

Chloe Messdaghi: The process, believe it or not, yes, it takes up to a year. We had about 200 contributors for this year's MDDR, but the most incredible thing is, all this knowledge that comes in into this report, and then having to write it in a way that anyone can understand it. So if you're a policymaker, you can understand it. If you are a CISO, you can understand it. If you're an executive, you can understand it. If you're a security researcher, you'll definitely be able to understand it. So just basically, we set up the scene for that, and what we're trying to do is, as you mentioned, Sherrod, is that we're going through quite an interesting time, and because we're going through interesting times, we're also going through kind of being in the dark. We're trying to figure out, what do we need to do? How do we stay safe? How do we secure things? When everything's changing, especially with AI. And that's what this report does. It's lighting the room for those that are trying to figure out what to do about the situation, and help provide that guide for them.

Sherrod DeGrippo: It's really an interesting process. This is my third one at Microsoft that I've been through, and I know, Chloe, you're new. This is your first one. Crane, is this your first or second?

Crane Hassold: This is my first.

Sherrod DeGrippo: Okay, tell me how it feels. What's it like, [laughter]?

Crane Hassold: So one of the things I really enjoyed about sort of contributing to the report this year is, you know, at Microsoft you really get a really good understanding about how complex the overall cyber threat landscape actually is, right? So it's not like we just have access to and just have insights into email-based threats, but we also have access into inPoint, and Teams, and cloud-based apps, and all of these different things that cyber threat actors are sort of using different components of this landscape in various different ways, and what's really interesting is to see how they're pivoting from one thing to another, you know, when it comes to pivoting from email over to Teams for things like spam bombing, or how BC attacks, and how credential phishing leverages email-based attacks and pivots that into different other cloud-based accounts, and leverages those for different ways. Like the complexity of that landscape, you really get to see when you're working on this report.

Sherrod DeGrippo: I've worked on it a couple of times now, and some of the things I think that people might be interested to know, there is a team who works on this almost all year long. So there is dedicated people at Microsoft who are constantly gathering this, and I'll be in threat landscape meetings, and every once in a while somebody will pop up and say, oh, we should add that. We should add that to the Digital Defense Report. We should add that. So it's something that Microsoft is always thinking about internally, and I also think it's important to hear from Crane and Chloe about where this data comes from. So Microsoft has 84 trillion security signals coming in a day. We have 1.5 billion endpoints. That endpoint number really blows my mind, in terms of the breadth and depth of visibility that Microsoft has into the threat landscape. I also think that it's really interesting, when we build this report, that we go get these experts from across the company who -- for those of you who don't know, I still consider myself very new to Microsoft. I'm coming up on three years, but it still seems very new to me. There are people who specialize in absolute niche, specialized, tiny little pieces of the threat landscape, and tiny little pieces of data, and that's really, to me, what is so fascinating about the Microsoft Digital Defense Report every year, is that you've got top of the top experts in the tiniest little specializations giving you the view of what's going on. So I'll talk about the landscape a little bit. Crane, what are the threats that you're seeing highlighted here, and what's going on in terms of, like, what we've seen in the past year? What are some threats that you found to highlight?

Crane Hassold: I think some of the really interesting components of the threat landscape that, you know, we saw a little bit before, you know, the past year, but we're really starting to see it in full effect more recently, I guess are two things. One is the way threat actors are leveraging AI, GenAI, LLMs in their attacks, and what that means for detection and protection of customers. And I think that, you know, when we look at that, there are some - there's like a boogeyman of AI that's out there, that everyone thinks that AI is the sort of silver bullet.

Sherrod DeGrippo: Ooh, is that why the Microsoft Digital Defense Report comes out in October, because it's spooky?

Crane Hassold: You know what, I - perhaps.

Sherrod DeGrippo: [Laughter].

Crane Hassold: I didn't even think about that.

Sherrod DeGrippo: Haunted computers.

Crane Hassold: You may want to throw that in now, I don't know.

Sherrod DeGrippo: Yeah. These computers definitely have ghosts inside them.

Crane Hassold: Yeah. But so, you know, there's this perception that AI is this really scary thing that bad guys are using to launch just insanely realistic, undetectable attacks, and I think when it comes to those types of attacks and what we've seen, I think we can step back and look at, hey, yes, AI is certainly being used by the bad guys in certain different ways, but what does that actually mean, and how does that actually factor in to our ability to detect these attacks, and we can get into that in a little bit more detail if you want. But then the other side of it is the way that threat actors are pivoting to nontraditional modes of communication in their attacks. You know, we have previously seen this trend where, you know, email has always been the number one initial attack vector for most cyber threats, and many times in the past, if you go back maybe two or three years, it sort of really just stayed within the email sphere. Now we're really seeing these threat actors pivoting from, email still is the number one attack vector, but then now they're almost immediately pivoting to things like SMS, or Teams, or some other mode of communication. WhatsApp for some companies, in places like Europe, where WhatsApp is used more commonly for business purposes. That pivot is also really interesting because they're trying to get off of these platforms where we have built detection mechanisms for decades, and we've gotten pretty good at it, and now they're trying to move on to other platforms where that detection really isn't as controlled. So I think those are the two primary trends that really stuck out over the past year that have really come, you know, into full effect.

Sherrod DeGrippo: Yeah, I think that's something I've noticed too, is that if you're going to use social engineering, which, hey, it works. Why would you not use it? We see that a lot of threats kind of either leverage social engineering as a foundation or they sprinkle it in somewhere to kind of make things easier on themselves, and that means every means of communication, whether it's email, Teams, SMS, fax machines, letters in your mailbox, whatever it may be. When people can communicate with you, they have the ability to leverage social engineering, a threat actor does. Chloe, let me ask you, what did you see in the report that kind of stuck out in terms of trends or things that are happening?

Chloe Messdaghi: I would definitely say that AI can be a benefit, and it could be a vulnerability. I would say, you know, basically what you shared, and also Crane, for example an AI-automated phishing email can achieve a 54% clickthrough rate compared to just 12% for a standard attempt. So if you think about it, it's 4.5 times an improvement. Because now, you know, you won't see the spelling issues.

Sherrod DeGrippo: Mm hmm.

Chloe Messdaghi: So people are more likely to click on it. Also, you're going to have better graphics in there. You're going to have, things are going to be more replicated, that look identical to something official. So this becomes kind of scary, because it's still the way in, many times, to get into an enterprise.

Sherrod DeGrippo: I think that's interesting, and I think that looking at threat actors using AI for the past couple of years, they're really using it similarly to how you and I use AI, research, and building, and cleaning things up, and getting code started. I always tell people, I am not a software developer, I'm not a software engineer, but every once in a while I need to do some of that work. I need to write scripts, or I need to build something really quickly, or I need to understand a piece of code, and AI is really helping people at my level get that down, get that done. And so threat actors, of course, are using that as well. And I think the thing that I really like to tell people, I say a lot, is that if you think of the A in AI standing for acceleration, you're probably going to get it. It makes everything much faster and bigger in scope and scale than it could be at human scale. So I think that, you know, AI is making people faster. It's enabling things to go faster, including the threat actors. We'll talk cybercrime, and then we'll go into nation-state. So Crane, anything interesting sticking out for you in terms of where the crime landscape and the financially-motivated landscape is going?

Crane Hassold: Yeah, I mean, so the financially-motivated landscape is really where I've lived and focused for the past 10-plus years.

Sherrod DeGrippo: Because it's better.

Crane Hassold: I do say that it's a little bit better.

Sherrod DeGrippo: [Laughter].

Crane Hassold: I mean - I mean, it's really more - no.

Sherrod DeGrippo: When people admit that it's better, it makes my heart sing. A little rainbow just popped over my head.

Crane Hassold: I mean, when you think about the fact that it's about, you know, 90-plus percent of attacks that most businesses see every single day are going to be financially motivated in some sort of way, and you know, a very small percentage of attacks are really just mission-oriented state actors, I think financially-motivated attacks have easily the biggest impact to the global threat landscape every single year. And so when it comes to financially-motivated attacks, I think what's really interesting is, to me, is seeing how it differs based on the geography of where the threat actors are coming from. And it's - most people, I think when they think of cybercrime, they probably think of Eastern European, Russian threat actors that are, you know, sending out ransomware campaigns, and absolutely those are actors that are out there, and what's interesting is that they are very, very businesslike. It is very much a business. It has a relatively structured hierarchy from top to bottom, and a lot of the more technically sophisticated attacks that we see, that are financially motivated on a day to day basis, are coming from Eastern Europe and Russian actors. But then when you pivot to some of the more voluminous attacks that we see, things like business email compromise, right? So the pure social engineering attacks that are pretending to be the CEO of a company, or you know, a supposed vendor asking for a wire transfer to another account, you know, those are generally going to be coming from other locations. So West Africa, Nigeria is the big hotbed for BEC attacks. And even though we have sort of just seen that spread out a little bit more, but when we look at those actors, those actors are very different, structured very differently than the more traditional cybercrime actors, where there is very little structure and hierarchy to the way that they work together. They are usually going to be sort of individual actors that are working with some people one week, some people another week, and you have specialties where you have actors that are doing certain types of things like collecting - giving them mule accounts that are being used to receive fraudulent funds, and then you have the guys who are responsible for actually sending out the spam campaigns. And then when you have things like - then you talk about places like Southeast Asia, where, you know, a lot of people have probably heard about the pig butchering attack.

Sherrod DeGrippo: Yeah.

Crane Hassold: Which the name is one of the worst names for a cybercrime that has, in my opinion, that has been developed.

Sherrod DeGrippo: It's so gross.

Crane Hassold: Oh, it's terrible.

Sherrod DeGrippo: I just really quickly want to recommend to everyone, if you want a fantastically interesting, riveting look at pig butchering, and you've only got an hour, John Oliver on Last Week Tonight did -

Chloe Messdaghi: Oh yeah.

Sherrod DeGrippo: Did you guys see that?

Chloe Messdaghi: Oh, I saw that. That was so good.

Sherrod DeGrippo: It's so good. I mean, you will be riveted watching that, especially if you're in threat intelligence or information security. If you work in these fields, watching how operationalized and industrialized pig butchering is. And pig butchering is essentially longform social engineering in order to get some kind of financial payoff. Crane, do we consider romance scams part of pig butchering, or are they their own?

Crane Hassold: It's its own thing. It -

Sherrod DeGrippo: It's its own thing.

Crane Hassold: It's its own type of thing. But romance scams are really a - that's primarily a West African sort of style of attack. It's been around for, I mean, 30 years at this point, in full effect, but in many cases that's an intermediate scam to get to something else. So a lot of romance scam victims get pivoted into other types of scams, or using their accounts to receive fraudulent funds. But when you get to pig butchering, you're right, it is very industrialized. Again, the structure is very different, where you have a very small number of people at the top of these hierarchies, and then a massive amount of people at the bottom that are doing the day-to-day, running the day-to-day scams in warehouses and things like that. And a lot of that is - a lot of the purpose for that is to, you know, investment scams are the big sort of component to those, where they're trying to get people to, you know, to make investments in things like cryptocurrency, and then they get scammed that way. So when you look at sort of the global nature of cybercrime, it's everywhere, but you can really start to see where different trends are emerging from and how that impacts what we see on a day-to-day basis.

Sherrod DeGrippo: Chloe, anything you want to share in terms of the crime or financially-motivated landscape? That's, to me, the one where the really creative TTPs usually are. That's where, let's be honest, most crime threat actors generally don't care if they get caught. Their prime goal, the action that they are taking is in order to achieve financial gain. So they don't really care where it comes from, and thus targeting is much more squishy than nation-sponsored threat. Chloe, anything that you want to mention about the cybercrime landscape that comes out of the new report?

Chloe Messdaghi: Yeah, like Crane stated is that most of the attacks are for money. Espionage is like only 4%.

Sherrod DeGrippo: Mm hmm.

Chloe Messdaghi: So if you think about that, yes, it's money-driven, and 33% of the incidents involve, you know, financial extortion as well. The one thing that we definitely noticed was that adversaries had been using well-known initial access routes. It hasn't really changed, if you think about it. They're still using the same routes that have been around. However, I would say that, you know, certain things have also changed in the number of attacks. When we think about, you know, targets for access to data, we see government is the top this year, IT was second, and third was research and academia, and then if we look at when we think about countries that are most impacted by cyberthreats, from January to June 2025, you have the U.S., you have the UK, and then you have Germany, and then Israel. And when we think about, you know, how are our threat actors, what are they doing right now? They're logging in. They're logging in now. So if you think about it, you need to protect your identity. Identity access is something you have to really focus on. So having MFA. Honestly, if you have MFA, 99% you will safe. So if you think about it, something so easy as that can do such a huge difference. The other thing I would end with on that front is that when we think about identity attacks, 97% of those were from password sprays or brute force attacks. And then when we think about compromised signals by sector for identity, we're looking at research and academia played a huge situation this year.

Sherrod DeGrippo: I think that the targeting is really interesting because a lot of those that work in academia have two jobs. What is the thing you always hear people complain? Oh, I can't make any money as a professor. I have to do XYZ as well. And many of them do. So some of them write books, some of them teach at other universities as well, some of them have podcasts that they monetize. But a really common thing is for academics who have a professorship, or they're an emeritus, or something like that where they're not making a full, livable wage teaching. That's a discussion for a different podcast. They tend to get jobs in their specialties. Now, imagine somebody who is a physics professor, who teaches at a prestigious technical university, and also works maybe in the defense industrial base. Maybe also works at a law firm, because they're a legal - they're in the law school. The things that those people know are valuable to the school, and their identity is valuable for their other roles. So if you can compromise the identity that they use to teach under, their dot-EDU, you can usually use that to pivot over to the role that they use for their business, whether that's in a law firm, or in a teaching hospital, or in technical concerns that might be really sensitive. So I think that's really where academia needs to shore up some of its defenses, is thinking about these people who have these dual roles. They're not just teachers, and those dot-EDU accounts are really important to protect. Before we go to nation-sponsored, I just want to mention the stat that was in the report that I find not only interesting to me, but also really justifies my obsessions with the crime landscape, which is that 79% of Microsoft's incident response engagements are data collection for resale or extortion. So those are not nation-sponsored threats that are doing that. That is the crime landscape, and I think it's important to remember, as we enter this world of AI, those big data dumps, even the ones that are multiple years, those big breach dumps are going to become more valuable than they were, because 8 terabytes of data three or four years ago was a multi-person, huge slog. It was a nightmare. 8 terabytes of data to search through today is as easy as asking LLM what's in it using natural language. So remember that those data breaches from before are just as dangerous, if not more, today than they were when they first happened.

Crane Hassold: And I also think that it also really highlights the fact that initial access is the main focus for attacks today, because now you can pivot in so many different directions with just having someone's credentials, and do so many different things, that it's very different than what it was, like, 10 years ago. When you think of - like, take credential phishing for example. 10 years ago, when most people saw a credential phishing email, it was probably for their bank. Like, they were probably trying to get their logon credentials to hack into their bank account and just take money directly out of their bank. What we started seeing about, what, about eight years ago, seven, eight years ago, was that that entire credential phishing landscape changed. It was about the same time when enterprise-focused ransomware came onto the scene, where you started seeing enterprise credentials being easily the number one target for cybercrime actors, because not only are you getting access to someone's email, which is a treasure trove of potential intelligence, but also you can move to using that trusted, valid account to send additional phishing campaigns, massive phishing campaigns to other people. You can then pivot into the cloud and steal sensitive information or data that way, hold it for ransom, or sell it to someone else. You can do so many different things that makes just a single username and password so valuable that it has really reshaped what we think of when we think of the cybercrime landscape today.

Chloe Messdaghi: Can I just add one thing to that? To anyone who's listening, if you have family and friends, chances are they're probably using the same username, right? So this is why it's so important, is do not use the same password. At the end of the day, when you have those two together and you don't have MFA, or MFA is not offered on whatever website you go on, at least change your username too. That's the thing we tend to forget, is also usernames are usually reused so many times that when we come to guessing passwords, it becomes a lot easier. And if you don't have MFA, you're out of luck.

Sherrod DeGrippo: I like to tell people, especially those that are not in the industry, those just kind of, you know, those friends that we all have, who are like, hey Sherrod, you do the computers, right? And I'm like yeah, I do. You know, they ask, well this, you know, should I do this MFA thing, et cetera? And I'm like, well, any accounts that you wouldn't want your ex-girlfriend or your ex-boyfriend to get into, yeah, you should. Not because they're trying to hack you, but because that should be the level of concern, is everything. You should not want anyone in any of your stuff, especially things like social networks, especially things like - obviously your email. Especially things like federated logins. You know, you go to log in to a new site or something, and it's like, you can create your own username and password, or you can login with your existing whatever account. Your existing Apple, your existing Google, your existing Amazon, existing Facebook, on and on and on. Be really, really careful with those federated logins and make sure that you've got MFA turned on. One last thing that I want to remind everyone about when it comes to crime, is that it really is an ecosystem. It's not just threat actors doing ransomware. It is facilitators, and data brokers, and access brokers, and coders, and people who, like a lot of these initial access broker gangs, they don't actually ever do ransomware. They just sell access to places where you could do ransomware if you wanted, and I think that that's a great example of how a lot of these ecosystems work, which is there are people doing little pieces, and they aren't all doing ransomware in fact. Only a few groups are really doing the ransomware aspect, and none of them, from what we have seen, are doing it alone. They're all depending on that entire ecosystem.

Chloe Messdaghi: Yeah, we did see that with access brokers this year. Like the top initial access vectors were credential-based attacks, which is 80%, and then vulnerability exploitation, which is 17%, and that's the second one.

Sherrod DeGrippo: So just to highlight what Chloe is saying, vulns only make up 17%. The rest of it is logging in, social engineering, things that are frankly harder to detect in many ways, because they involve some sort of credential access that's just a login. Okay, let's talk nation-sponsored and espionage. What are we seeing on the threat landscape when it comes to nation-sponsored threats, and how does that look?

Chloe Messdaghi: I would say that, for this year, we looked at the overall picture of nation-states. The most targeted sectors was first IT, then research and academia, and then government. And then top activities levels observed was U.S., Israel, and Ukraine.

Sherrod DeGrippo: And are we seeing any particular trends in terms of tactics or things that nation-sponsored threat is leveraging lately?

Chloe Messdaghi: I would say, for example, Russia, we've noticed that there was a reduction in developing bespoke operations, and they're more leveraging the current cybercriminal ecosystem. So we saw that. And then with North Korea, we definitely have seen, you know, an increase of remote workers. You probably haven't seen it on the headline news this year, but we have seen North Korean state-sponsored actors getting into IT companies and its remote workers. So, it's something to think about, [laughter].

Sherrod DeGrippo: That's something we've been tracking for probably the last year or two years. North Korean IT workers are getting jobs at regular companies, doing the work, that's always the thing that strikes me as so strange, is that they aren't just getting the jobs, doing espionage, and disappearing. They are getting the jobs, getting the access, doing the work they are assigned at an acceptable level of professionalism, and doing the espionage to steal a variety of information, data, intelligence, and then using that paycheck to finance the regime.

Chloe Messdaghi: Yeah, that's the thing people forget. It's also revenue generation, at the end of the day.

Crane Hassold: So I find those attacks to be fascinating, and for the same reason that you do, Sherrod, it's a really good example of the difference between state actor, mission-oriented attacks and financially-motivated attacks, because you would never, ever see a financially-motivated actor doing that, because there's no profit in it, right? The profit margin goes down. With mission-oriented attackers, it doesn't matter how long, or how many resources, or how much money it takes to fulfill the goal, you're going to fulfill the goal. I bet that's the entire endgame of it, regardless of how much time or effort it takes. And so if the goal is to make money, to try to get money for a, you know, a state nuclear program, right, if my entire goal is to do that, and my supervisor's supervisor tells me that's what I have to do, that's what I'm going to do, and I'm going to go get a job. I'm going to go make money like anyone else does, and then when they tell me that, okay, now you have to do this, now I'm in the place to do it. And it's like that for most mission-oriented attackers that we see, when it comes to state actors out there, and it really drives home the point that motivation really mattered when it comes to these nation-state actors, because this is where threat intelligence comes into play. It's about understanding, am I the potential target of these actors that are going to spend an inordinate amount of time and money to try to impact me. Am I on their radar? Realistically, very few businesses around the world are probably going to be on the radar of most nation-state actors, but those that are on the radar, it is extremely important to understand and keep up to date with what you may see coming from those actors. In my -

Chloe Messdaghi: Yeah, for the ones that - so we looked at China, Iran, Russia, and North Korea this year, and each sector that they focus on is different. If you think about, like, the list, they're different. The targeted countries are different. They're not in the same order. They're unique and different.

Sherrod DeGrippo: Yeah, I think that we have to look at each nation, especially of those top four, as their own missions, and objectives, and what they're doing, and for - you know, there's not a lot of people. Obviously I work in mystic, Microsoft Threat Intelligence. There's not a lot of people that cover all of them. There are very four that are working the landscape from every threat actor group, all day, every day. It's very rare, just because people specialize on one. But it's interesting when you start asking the specialists on each different country what those tactics look like. They are really quite different, and I think people wishfully hope, oh, they'll be a copycat, they'll share data, this country will work with this country. We just really don't see that.

Crane Hassold: So back in the day, before I was in the private sector, I worked with the FBI for more than 11 years, and a lot of that I spent in the behavioral analysis units, and looking at cybercrime from a behavioral component and not a technical component. And what was really interesting is we came up - we saw the exact same thing is, understanding how to do analyze the behavior from a Chinese-based nation-state actor, from a Russian state actor, from a U.S.-based financially motivated actor, not only are they different based on their missions, and objectives, and motivation, but also there are a lot of, like, really interesting cultural components to that as well that come into play, that you likely would never even think about if you don't, like, actively put yourself in those shoes, and sort of step back and say hey, you know, I usually am looking at Nigerian BC actors. Now I'm looking at, you know, some sort of attack that came from a potentially Chinese actor. I got to think about those attacks from a very different perspective, because a lot of what we see is influenced by non-technical things that -

Sherrod DeGrippo: Yeah.

Crane Hassold: We really don't think of when we think of a cyberattack.

Sherrod DeGrippo: One of the things that's really interesting, working on the Microsoft threat intelligence team, is we have language specialists and culture specialists that will get into underground forums, that will look at code, that will understand how the threat actors are communicating with each other, amongst their own team, what these things mean. Some of our analysts have shown me new kinds of slang that I never heard from before, and they're like, oh yeah, it doesn't really translate exactly, but you know, mega-duck means whatever, this about the - and I'm, you know, I just can't believe that we have people that are tracking and specializing in understanding the threat actors culturally and from a language perspective to that degree. It's really interesting. So Chloe, I know that you have some really interesting data around how nation-sponsored threat is using AI. What are they doing with it? What's the objectives? How are they leveraging AI out there?

Chloe Messdaghi: Yeah, great question. I would say that in the last six months, we've seen AI use and influence operations have picked up incredibly aggressively. And we're seeing that in AI twinning. We're also seeing that in training data poisoning, and voice cloning, and masking at this time.

Sherrod DeGrippo: And what is AI twinning?

Chloe Messdaghi: AI twinning is basically like taking what you think would be, like, give you an example. CNN, right? You're watching the CNN host, and giving an update of the latest news or breaking story. AI twinning is basically taking that but then changing the content completely, but it's giving a feel that looks exactly identical to what you're seeing on CNN.

Sherrod DeGrippo: And what is the objective there? To disseminate information that goes with influence operations?

Chloe Messdaghi: Yeah, it's basically to, you know, change perceptions. So you know, a lot of misinformation-disinformation campaigns, at the end of the day.

Sherrod DeGrippo: I think another point to mention about AI is that the report says that deepfakes and just generally AI-generated identities are being used to pass verification checkpoints, and that there was a 195% increase in the use of AI forgeries, which includes deepfakes and things like that. So those synthetic identities are growing in use. It's becoming easier and easier to create fake personas that are super convincing, which means authentication is a lot harder, and fraud is a lot easier.

Chloe Messdaghi: Absolutely, and it is definitely a growing pain. Especially, I don't know if you all remember, but it was in 2024, at the beginning of 2024, that there was a case in Hong Kong where a threat actor basically did a deepfake of a CFO for a company.

Sherrod DeGrippo: Mm hmm.

Chloe Messdaghi: And got their financial worker, employee to think that it's actually their CFO, and then basically sent 25 million over. These are things that are happening. These are things that we have to be very concerned about, and you know, it's something, you know, we're entering a new era, you know, with the use of AI, and we're going to see more of this kind of stuff happening, probably.

Sherrod DeGrippo: And it makes it easier for threat actors, because they can operationalize that like they operationalize everything else, and they can do it at scale.

Chloe Messdaghi: Exactly.

Crane Hassold: And I also think that it's really important to separate what is possible with what is practical when it comes to most threats out there, especially when it comes to AI. For influence operations that are going to be coming from state actors, mission-oriented actors, again, they have the means and the motivation to really leverage AI to its fullest potential, I think. They're the ones who can invest in building their own large language models, LLMs, to really focus what they want AI to do for them. Most financially-motivated actors that are out there are simply going to be using what's off the shelf to make their jobs a little bit easier from a day-to-day perspective. So when it comes to deepfakes, when it comes to all these things that we know, if we go to - Blackadder dev con every year, there's always something new on AI that sounds really, really scary, but at the end of the day, for all practical purposes, you're likely never going to see that in the wild, because no one's going to invest that much effort or energy into making that come to fruition, unless they are trying to fulfill a very specific mission, and have the time to do so. Financially-motivated actors likely aren't going to do that. And even when you come to that, you know, the example that you were talking about in Hong Kong, right? In that case, my assumption, while I don't know too much about that case, my assumption is that actually was not - while it was a financially-motivated attack, it may not have been from a purely financially-motivated actor.

Sherrod DeGrippo: Interesting. I think that ability is something that technologists like us have to think further down the road, what will it be like? What are we going to see? And then compare that to the reality of what we're seeing today. I think that getting really wild with tabletop scenarios and threat modeling can be fun, but also when it's not based off of reality, that's why we talk so much about what's in the wild. Are we seeing this really being leveraged by threat actors, or are we not, and that's where things like in the wild come into play. But I think knowing where threat actors are today, knowing what the potential is, and then trying to look down the road to be realistic about what can happen. I did see something too, in the report, that phishing driven by AI is three times more effective than the traditional way. And I have the feeling that's just going to increase.

Crane Hassold: If I will interject, because this is like my soapbox, to be honest with you.

Sherrod DeGrippo: Okay, [laughter].

Crane Hassold: If it reaches its target, it is more effective.

Sherrod DeGrippo: If it reaches its targets. Okay, I love that.

Crane Hassold: And I think that's logical. If you see a lot of the stuff that's coming out, and you see what's generated in some of these phishing emails that we detect on a daily basis, like they look really good, and really realistic, and it takes very little energy to be able to develop those, what's out there today with sort of the off-the-shelf commercial GenAI models. But, when you look at how we detect those attacks, whether it's looking at the infrastructure that they're coming from, understanding their relationships between the recipient and the sender, understanding the general context of the message itself, and putting that all together, AI doesn't really influence a lot of the methods that we use to detect those attacks. And so AI does not necessarily make it harder to detect a phishing attack, but if it makes it to its target, it will likely be more impactful. And I always equate this to, you know, a tree falling in the forest. Right, if a phishing email is generated using AI, but never reaches its target, it doesn't make a sound. I equate it to that, because - and this goes back to thinking that AI is this really scary silver bullet, and it's really not. There are - while it can be used very effectively in a number of different ways, maliciously, it really doesn't apply to a lot of the components of especially an email-based attack that we use to prevent or detect them.

Sherrod DeGrippo: That leads me to a question that I love to ask people, especially those who work in email, which Crane, I spent, like, I got a lot of gray hair from my email time. I know you did too.

Crane Hassold: Yeah.

Sherrod DeGrippo: Should we stop using email?

Crane Hassold: I don't think it matters, to be honest with you.

Sherrod DeGrippo: Okay.

Crane Hassold: I think that, because most of the attacks are financially-motivated, and most of the attacks today are initiated through email. If tomorrow all email went away, and we were like, we're just - no one's ever using email again, the actors that are out there, that are making money off those attacks, aren't just going to be like oh, okay, you got me. I'm done. I'm going to go away now.

Sherrod DeGrippo: [Laughter], we solved crime.

Crane Hassold: Yeah. We're just going to go do legitimate stuff now. No, they're not going to do that. They're going to pivot to whatever the new communication mechanism is, and this also goes back to social engineering, right? So the same concepts that are used today in phishing attacks, in other sort of social engineering attacks, are literally the exact same concepts that have been used for thousands of years to defraud people, to con people. The only difference is now the medium has changed, and that's email. If email went away, it would go to Teams, or SMS, or WhatsApp, or Telegram. It's not going to disappear. The same actors that were, you know, that were using email are just going to pivot to wherever we go next. So unless we just stop talking to each other, which I don't think is going to happen, you know, the issue will just continue on.

Sherrod DeGrippo: So what you're saying is for those of you who are listening out there, no, you can't get rid of email. You still have to use your email, you still have to check your email, but I always love for people to just take a step back and think about the differences between their personal and their work email, and how they basically don't use personal email anymore. It has been sort of pushed to the wayside by things like SMS, and various chats, and Signal, and Instagram DMs, and all of these different platforms that we have that are better featured, more secure, have identity verification, and authentication, and things like that. So you know, personal email has kind of fallen off. Maybe work email will go the same way. We'll see. I'll hope for it. Crane, Chloe, thank you so much for coming and giving us kind of a preview into all of the different things that are in the Microsoft Digital Defense Report. I'll just ask each of you, as a closing question, I'll start with you, Chloe. What do you think defenders need to know? What can they do to kind of protect themselves from some of these threats?

Chloe Messdaghi: This is going to come off very marketing, but I would say read the report. Read the report.

Sherrod DeGrippo: Okay.

Chloe Messdaghi: I think we made it really easy for, no matter, like, how you're - the type of reader you are. If you're one of those people that just wants to, like, get to the highlights, the points, we have key takeaways in every section, so you could just go there to find what page you need to go. But if you're one of those people that likes to read from the very beginning, all the way to the end, this report's for you too. There's also a glossary, so if there's even terms that you're, like, oh, I'm not too familiar with, there's a glossary there. So we really try to make it really accessible for everyone to read, and I do highly recommend checking out this year's report.

Sherrod DeGrippo: So question on that, Chloe, you know, I'm on a budget, I'm just wondering, how much does this report cost? What are the prices?

Chloe Messdaghi: Oh wow, you know, you got to take out your checkbook, and put it away then, and then - because it's zero.

Sherrod DeGrippo: It's zero.

Chloe Messdaghi: You don't need - you just go to -

Sherrod DeGrippo: It's zero dollars for this report? It's free?

Chloe Messdaghi: Yeah.

Sherrod DeGrippo: It's a free report?

Chloe Messdaghi: Completely free.

Sherrod DeGrippo: That's incredible. I don't know how we do it.

Chloe Messdaghi: So good, right?

Sherrod DeGrippo: Yeah. So, you can go get the Microsoft Digital Defense Report for free. Right now, it's available. Just go to your favorite search engine, which is Bing, and you know, just search it up, and you'll get the 2025 Microsoft Digital Defense Report. Crane, what do you think defenders need to know? What would you like to leave them with?

Crane Hassold: So I agree with Chloe. Read the report. If nothing more than just maintaining awareness of what is actually happening out there, and what the trends look like in the general threat landscape is important, and the fact that that sort of primes your brain to look out for potential attacks. You know, I'm actually reading/listening to a book right now that's all about sort of the understanding information, and system 1 and system 2 behavior, and stuff like that. And just thinking about and becoming aware of something, even unconsciously, will help you recognize something in the future. So just maintaining awareness of trends is important for that. And then also, when it comes to cyber threats, recognizing that they aren't, in general, they aren't these really technically sophisticated things that are out there. It is - almost all cyber threats, at least initially, are all about exploiting human behavior. There's very little technical sophistication behind them. That always - that's usually what comes second, but what comes first is all about behavioral manipulation, and understanding that is really the key to understanding how cyber threats sort of will occur, and what you'll actually see when it comes to those, is really important, and sort of decoupling the fiction from reality, when it comes to cyber threats.

Sherrod DeGrippo: I love that. Thank you both for being here. I'll leave my final point. I get asked all the time, it's one of the top questions people ask me. They say Sherrod, I want to get into threat intelligence. What do I need to do? Where do I start? How do I get into it? You start by reading reports like this, [laughter]. So if you're looking to start threat intelligence, incorporate more threat intelligence into your daily work, regardless of what your role is, one of the places that you need to start is reading reports of this type. Crane, Chloe, thank you so much for joining me on "The Microsoft Threat Intelligence Podcast," and I hope to have you back soon.

Chloe Messdaghi: Thank you.

Crane Hassold: Thank you very much.

Sherrod DeGrippo: Alright everyone, go check out the Microsoft Digital Defense Report for 2025, and hope you find out some new, interesting information about threat actors in there. [ Music ] Thanks for listening to "The Microsoft Threat Intelligence Podcast." We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode, we'll decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out, msthreatintelpodcast.com for more, and subscribe on your favorite podcast app. [ Music ]