Trace Id is missing

Anatomy of a modern attack surface

Six areas for organizations to manage

As the world becomes more connected and digital, cybersecurity is becoming more complex. Organizations are moving more infrastructure, data, and apps to the cloud, supporting remote work, and engaging with third-party ecosystems. Consequently, what security teams must now defend is a broader, more dynamic environment and an expanded set of attack surfaces.

Threat actors are taking advantage of this complexity, exploiting gaps in an organization’s protections and permissions and executing relentless, high-volume attacks. Attacks are often multi-faceted, spanning several elements of an organization’s operations and infrastructure. Attackers are also becoming more coordinated across a growing cybercrime-as-a-service landscape. In 2022, Microsoft’s Digital Crimes Unit blocked 2,750,000 site registrations to get ahead of criminal actors that planned to use them to engage in global cybercrime.1

Keeping up with today’s threats means securing every main attack surface, including email, identity, endpoint, Internet of Things (IoT), cloud and external. From a security perspective, you’re only as strong as your weakest links — and attackers are getting better at finding those. The good news is that most threats can be stopped by implementing basic security measures. In fact, we’ve found that basic security hygiene still protects against 98% of cyberattacks.2

Four people gathered around a screen discussing cybersecurity. Stats on image: '1 hour 42 minutes: Median time for an attacker to begin moving laterally within your corporate network once a device is compromised' and '98% of cyberattacks can be prevented with basic security hygiene' - from article on Modern Attack Surface
Learn more about this image in the anatomy of a modern attack surface infographic

1 hr 42 min Median time for an attacker to begin moving laterally within your corporate network once a device is compromised3

98% of cyberattacks can be prevented with basic security hygiene2

End-to-end visibility into threats is foundational for good security hygiene. The right threat intelligence gives security teams a comprehensive view of the threat landscape, enabling them to stay ahead of emerging threats and continually refine their defenses. And when threat actors do get in, holistic threat intelligence is essential to learning what happened and preventing it from happening again.

Below we’ll discuss threat trends and challenges related to six main attack surfaces in an organization: email, identity, endpoint, IoT, cloud, and external. Towards the end, we’ll come back to how the right threat intelligence can tilt the playing field and give security teams a powerful advantage.

For most organizations, email is an essential part of daily business operations. Unfortunately, email remains a top threat vector. 35% of ransomware incidents in 2022 involved the use of email.4 Attackers are carrying out more email attacks than ever before — in 2022, the rate of phishing attacks increased by 61% compared to 2021.5

Attackers also now commonly leverage legitimate resources to carry out phishing attacks. This makes it even more difficult for users to differentiate between real and malicious emails, increasing the likelihood that a threat slips through. Consent phishing attacks are one example of this trend, where threat actors abuse legitimate cloud service providers to trick users into granting permissions to access confidential data.

Without the ability to correlate email signals into broader incidents to visualize attacks, it can take a long time to detect a threat actor that gained entry via email. And by then it may be too late to prevent the damage. The median time it takes for an attacker to access an organization’s private data is just 72 minutes.6 This can result in serious losses at the enterprise level. Business email compromise (BEC) cost an estimated $2.4 billion in adjusted losses in 2021.7

Person typing on laptop. Stats on image: '72 min median time it takes for an attacker to access your private data if you fall victim to a phishing email' and '61% increase in phishing attacks from 2021-2022' - from article on Modern Attack Surface
Learn more about this image in the anatomy of a modern attack surface infographic

In addition to safeguards such as URL checking and disabling macros, employee education is essential to preventing threats from having an impact. Simulated phishing emails and instructional materials on how to identify malicious content (even when it appears legitimate) are critical preventative security measures. We anticipate threat actors will continue to increase the quality of social engineering in their email attacks, leveraging AI and other tools to improve the persuasiveness and personalization of malicious emails. And this is just one example — as organizations get better at addressing today’s email threats, the threats will continue to evolve.

In today’s cloud-enabled world, securing access has become more critical than ever. As a result, gaining a deep understanding of identity across your organization — including user account permissions, workload identities, and their potential vulnerabilities — is vital, especially as attacks increase in frequency and creativity.

The number of password attacks rose to an estimated 921 attacks every second in 2022 — a 74% increase from 2021.8 At Microsoft, we’ve also seen threat actors get more creative in circumventing multi-factor authentication (MFA), using techniques such as adversary-in-the-middle phishing attacks and token abuse to gain access to organizations’ data. Phishing kits have made it even easier for threat actors to steal credentials. Microsoft’s Digital Crimes Unit has observed an increase in phishing kit sophistication over the past year, along with very low barriers to entry — with one seller offering phishing kits for as little as $6 per day.9

Managing the identity attack surface is more than securing user accounts — it spans cloud access, as well as workload identities. Compromised credentials can be a powerful tool for threat actors to use in wreaking havoc on an organization’s cloud infrastructure.

Image of a person in a digital cybersecurity meeting discussing connected device vulnerabilities. Stats on image: '3,500 average number of connected devices in an enterprise that are not protected by an endpoint detection and response agent' and '$1.7M Median value of the annualized risk of a data breach from mobile phishing attacks' - from the article on Modern Attack Surface
Learn more about this image in the anatomy of a modern attack surface infographic

921 Password attacks per second in 2022, a 74% increase from 20218

93% of Microsoft investigations during ransomware recovery engagements revealed insufficient privilege access and lateral movement controls10

Attackers are frequently gaining access to third-party accounts or other highly privileged accounts connected to an organization, and then using those credentials to infiltrate the cloud and steal data. Though workload identities (identities assigned to software workloads like applications to access other services and resources) are often overlooked in permissions auditing, identity information hidden in workloads can give a threat actor access to an entire organization’s data.

As the identity landscape continues to expand, we expect that attacks targeting identity will continue to grow both in volume and variety. This means maintaining a comprehensive understanding of identity and access will continue to be mission critical.

Given the sheer number of devices in today’s hybrid environment, securing endpoints has become more challenging. What hasn’t changed is that securing endpoints — particularly unmanaged devices — is critical to a strong security posture, since even one compromise can give threat actors entry into your organization.

As organizations have embraced BYOD (“Bring Your Own Device”) policies, unmanaged devices have proliferated. Consequently, the endpoint attack surface is now larger and more exposed. On average, there are 3,500 connected devices in an enterprise that are not protected by an endpoint detection and response agent.11

Unmanaged devices (which are part of the “shadow IT” landscape) are particularly appealing to threat actors since security teams lack the visibility necessary to secure them. At Microsoft, we’ve found that users are 71% more likely to be infected on an unmanaged device.12 Since they connect to company networks, unmanaged devices also present opportunities for attackers to launch broader attacks on servers and other infrastructure.

Unmanaged servers are also potential vectors for endpoint attacks. In 2021, Microsoft Security observed an attack where a threat actor took advantage of an unpatched server, navigated through directories, and discovered a password folder providing access to account credentials.

Four people discussing cybersecurity. Stats on image: '921: Password attacks per second in 2022, a 74% increase from 2021' and '93% of Microsoft investigation during ransomware recovery engagements revealed insufficient privilege access and lateral movement controls' - from article on Modern Attack Surface
Learn more about this image in the anatomy of a modern attack surface infographic

Median value of the annualized risk of a data breach from mobile phishing attacks14

The attacker then signed into numerous devices throughout the organization to collect and exfiltrate extensive amounts of data, including intellectual property. This likely allowed the attacker to threaten release of the information if the subsequent ransom wasn’t paid. This is a practice known as “double extortion,” and it’s a concerning scenario we’ve seen more frequently over the past year.13 And even if the ransom is paid, there’s no guarantee that data will be unencrypted or even returned at all.

With the number of endpoints continuing to grow, threat actors will undoubtedly continue to see endpoints (particularly unmanaged ones) as attractive targets. As a result, improving endpoint visibility and security hygiene can offer organizations significant value.

One of the most overlooked endpoint attack vectors is IoT (Internet of Things) — which includes billions of devices, both large and small. IoT security covers physical devices that connect to and exchange data with the network, such as routers, printers, cameras, and other similar devices. It can also include operational devices and sensors (operational technology, or “OT”), such as smart equipment on manufacturing production lines.

As the number of IoT devices grows, so does the number of vulnerabilities. By 2025, IDC predicts that 41 billion IoT devices will be present within enterprise and consumer environments.15 Since many organizations are hardening routers and networks to make them more difficult for threat actors to breach, IoT devices are becoming an easier and more appealing target. We’ve often seen threat actors exploit vulnerabilities to turn IoT devices into proxies — using an exposed device as a foothold onto the network. Once a threat actor has gained access to an IoT device, they can monitor network traffic for other unprotected assets, move laterally to infiltrate other parts of their target’s infrastructure, or perform reconnaissance to plan large-scale attacks on sensitive equipment and devices. In one study, 35% of security practitioners reported that in the past 2 years, an IoT device was used to conduct a broader attack on their organization.16

Unfortunately, IoT is often a black box for organizations in terms of visibility, and many lack proper IoT security measures. 60% of security practitioners cited IoT and OT security as one of the least secured aspects of their IT and OT infrastructure.17

Image of computer networking ports. Stats on image: '41 billion IoT devices expected in enterprise and consumer environments by 2025' and '60% of security practitioners say IoT and OT security is one of the least secured aspects of their IT and OT infrastructure' - from the article on Modern Attack Surface
Learn more about this image in the anatomy of a modern attack surface infographic

IoT devices themselves often contain dangerous vulnerabilities. Microsoft intelligence data uncovered that 1 million connected devices publicly visible on the Internet are running the Boa web server, an outdated, unsupported software still widely used in IoT devices and software development kits (SDKs).18

A growing number of countries are taking note of these blind spots and mandating improvements in IoT device cybersecurity.19,20 These regulations are an indicator of the increased focus on IoT security, as businesses and consumers alike become more concerned about IoT device vulnerabilities. While IoT is currently in the spotlight, cybersecurity regulations are expanding in other areas too, making it even more urgent for organizations to gain visibility across attack surfaces.

Organizations are increasingly moving infrastructure, application development, workloads and massive amounts of data to the cloud. Securing the cloud environment means defending a range of services, including SaaS, IaaS and PaaS, distributed across multiple clouds. Given the breadth and distribution of services involved, it can be difficult to get the proper level of visibility and protection at each layer.

Many organizations struggle to gain end-to-end visibility across their cloud ecosystem, especially as data increasingly resides in multiple cloud and hybrid environments. Too often, this lack of visibility means there is a security gap. At Microsoft, we’ve found that 84% of organizations who suffered ransomware attacks did not integrate their multi-cloud assets with their security tooling, a critical oversight.21

The widespread move to the cloud has also increased the number of new attack vectors for cybercriminals to exploit, with many gaining access through gaps in permissions security. Unknown code-based vulnerabilities in applications developed in the cloud have dramatically increased the risk of compromise. As a result, the top cloud attack vector we’re seeing across organizations is now cloud app development.

Image of a person sitting in a public place using a laptop. Stats on image: '895 man-in-the-middle phishing attacks detected per month by Microsoft Defender for Cloud Apps, on average' and '84% of organizations that suffered ransomware attacks did not integrate their multi-cloud environments into security operations tooling' -from the article on Modern Attack Surface"
Learn more about this image in the anatomy of a modern attack surface infographic

895 man-in-the-middle phishing attacks detected per month by Microsoft Defender for Cloud Apps, on average23

84% of organizations that suffered in ransomware attacks did not integrate their multi-cloud environments into security operations tooling21

Embracing a “Shift-left” security approach — incorporating security thinking in the earliest stages of app development — can help organizations strengthen their security posture and avoid introducing these vulnerabilities in the first place.

Cloud storage is another increasingly common attack vector, as incorrect permissions can put user data at risk. Additionally, cloud services providers themselves can be compromised. In 2021, Midnight Blizzard (a Russia-linked threat actor group formerly known as NOBELIUM) launched phishing attacks against a cloud services provider in an attempt to compromise and leverage privileged government customer accounts.22 This is just one example of a modern cloud threat, and we expect to see further cross-cloud attacks in the future.

Today, an organization’s external attack surface spans multiple clouds, complex digital supply chains and massive third-party ecosystems. The internet is now part of the network, and despite its almost unfathomable size, security teams must defend their organization’s presence throughout the internet to the same degree as everything behind their firewalls. And as more organizations adopt the principles of Zero Trust, protecting both internal and external attack surfaces has become an internet-scale challenge.

The global attack surface grows with the internet, and it is expanding every day. At Microsoft, we’ve seen evidence of this increase across many types of threats, such as phishing attacks. In 2021 Microsoft’s Digital Crimes Unit directed the removal of more than 96,000 unique phishing URLs and 7,700 phish kits, which led to the identification and closure of over 2,200 malicious email accounts used to collect stolen customer credentials.24

The external attack surface extends far beyond an organization’s own assets. It often includes suppliers, partners, unmanaged personal employee devices connected to company networks or assets, and newly acquired organizations. Consequently, it is critical to be aware of external connections and exposure in order to mitigate potential threats. A 2020 Ponemon report revealed that 53% of organizations had experienced at least one data breach caused by a third party in the past 2 years, costing an average of $7.5 million to remediate.25

 Image of two people in a meeting discussing cyberattack-related data compromises. 'Stats on image: 1613 cyberattack-related data compromises in 2021, more than all data compromises in 2020' and '53% of organizations experienced at least one data breach caused by a third party from 2018-2020' -from the article on Modern Attack Surface
Learn more about this image in the anatomy of a modern attack surface infographic

1,613 cyberattack-related data compromises in 2021; more than all data compromises in 202027

53% of organization experienced at least one data breach caused by a third party from 2018-202025

As the infrastructure behind cyberattacks increases, gaining visibility into threat infrastructure and taking inventory of internet-exposed assets has become more urgent than ever. We’ve found that organizations often struggle to understand the scope of their external exposure, resulting in significant blind spots. These blind spots can have devastating consequences. In 2021, 61% of businesses experienced a ransomware attack that led to at least a partial disruption of business operations.26

At Microsoft, we often tell customers to view their organization from the outside-in when evaluating security posture. Beyond VAPT (Vulnerability Assessment and Penetration Testing), it’s important to gain deep visibility into your external attack surface so you can identify vulnerabilities throughout the entirety of your environment and extended ecosystem. If you were an attacker trying to get in, what could you exploit? Understanding the full extent of your organization’s external attack surface is foundational to securing it.

How Microsoft can help


Today’s threat landscape is constantly changing, and organizations need a security strategy that can keep up. Increased organizational complexity and exposure, along with a high volume of threats and low barrier to entry in the cybercrime economy, make it more urgent than ever to secure every single seam within and between each attack surface.

Security teams need powerful threat intelligence to defend against today’s myriad and evolving threats. The right threat intelligence correlates signals from different places — providing timely and relevant context into current attack behavior and trends so security teams can successfully identify vulnerabilities, prioritize alerts, and disrupt attacks. And if a breach does occur, threat intelligence is critical to preventing further harm and improving defenses so a similar attack can’t happen again. Simply put, organizations that leverage more threat intelligence will be more secure and successful.

Microsoft has an unparalleled view of the evolving threat landscape, with 65 trillion signals analyzed daily. By correlating these signals in real time across attack surfaces, threat intelligence built into Microsoft Security solutions provides insight into the growing ransomware and threat environment, so you can see and stop more attacks. And with advanced AI capabilities, such as Microsoft Security Copilot, you can stay ahead of evolving threats and defend your organization at machine speed — empowering your security team to simplify the complex, catch what others miss, and protect everything.

  1. [1]
    2022 Microsoft Digital Defense Report, p. 18
  2. [2]
    2022 Microsoft Digital Defense Report, p. 108
  3. [3]
    2022 Microsoft Digital Defense Report, p. 21
  4. [4]
    2022 Verizon Data Breach Investigations report, p. 28
  5. [6]
    2022 Microsoft Digital Defense Report, p. 2
  6. [7]
    2021 FBI Internet Crime Report, p. 3
  7. [8]
    2022 Microsoft Digital Defense Report, p. 2
  8. [9]
    2022 Microsoft Digital Defense Report, p. 19
  9. [10]
    2022 Microsoft Digital Defense Report, p. 14
  10. [11]
    2022 Microsoft Digital Defense Report, p. 92
  11. [16]
    “The State of IoT/OT Cybersecurity in the Enterprise” 2021 Ponemon Institute Research Report, p. 2
  12. [17]
    “The State of IoT/OT Cybersecurity in the Enterprise” 2021 Ponemon Institute Research Report, p. 2
  13. [18]
    2022 Microsoft Cyber Signals Report, p. 3
  14. [21]
    2022 Microsoft Digital Defense Report, p. 16
  15. [22]
    2022 Microsoft Digital Defense Report, p. 37
  16. [23]
    2022 Microsoft Digital Defense Report, p. 95
  17. [27]
    2021 Identity Theft Resource Center Annual Data Breach Report, p. 5

Related articles

Three ways to protect yourself from ransomware

Modern ransomware defense requires a lot more than just setting up detection measures. Discover the top three ways you can harden your network’s security against ransomware today.

The unique security risk of IoT/OT devices

In our latest report, we explore how increasing IoT/OT connectivity is leading to greater and more-severe vulnerabilities for organized cyber threat actors to exploit.

The convergence of IT and OT

The increasing circulation of IoT is putting OT at risk, with an array of potential vulnerabilities and exposure to threat actors. Find out how to keep your organization protected.

Follow Microsoft Security