Anatomy of a modern attack surface

For most organizations, email is an essential part of daily business operations. Unfortunately, email remains a top threat vector. 35% of ransomware incidents in 2022 involved the use of email.⁴ Attackers are carrying out more email attacks than ever before — in 2022, the rate of phishing attacks increased by 61% compared to 2021^.5

Attackers also now commonly leverage legitimate resources to carry out phishing attacks. This makes it even more difficult for users to differentiate between real and malicious emails, increasing the likelihood that a threat slips through. Consent phishing attacks are one example of this trend, where threat actors abuse legitimate cloud service providers to trick users into granting permissions to access confidential data.

Without the ability to correlate email signals into broader incidents to visualize attacks, it can take a long time to detect a threat actor that gained entry via email. And by then it may be too late to prevent the damage. The median time it takes for an attacker to access an organization’s private data is just 72 minutes.⁶ This can result in serious losses at the enterprise level. Business email compromise (BEC) cost an estimated $2.4 billion in adjusted losses in 2021.⁷

In today’s cloud-enabled world, securing access has become more critical than ever. As a result, gaining a deep understanding of identity across your organization — including user account permissions, workload identities, and their potential vulnerabilities — is vital, especially as attacks increase in frequency and creativity.

The number of password attacks rose to an estimated 921 attacks every second in 2022 — a 74% increase from 2021.⁸ At Microsoft, we’ve also seen threat actors get more creative in circumventing multi-factor authentication (MFA), using techniques such as adversary-in-the-middle phishing attacks and token abuse to gain access to organizations’ data. Phishing kits have made it even easier for threat actors to steal credentials. Microsoft’s Digital Crimes Unit has observed an increase in phishing kit sophistication over the past year, along with very low barriers to entry — with one seller offering phishing kits for as little as $6 per day.⁹

Managing the identity attack surface is more than securing user accounts — it spans cloud access, as well as workload identities. Compromised credentials can be a powerful tool for threat actors to use in wreaking havoc on an organization’s cloud infrastructure.

Given the sheer number of devices in today’s hybrid environment, securing endpoints has become more challenging. What hasn’t changed is that securing endpoints — particularly unmanaged devices — is critical to a strong security posture, since even one compromise can give threat actors entry into your organization.

As organizations have embraced BYOD (“Bring Your Own Device”) policies, unmanaged devices have proliferated. Consequently, the endpoint attack surface is now larger and more exposed. On average, there are 3,500 connected devices in an enterprise that are not protected by an endpoint detection and response agent.¹¹

Unmanaged devices (which are part of the “shadow IT” landscape) are particularly appealing to threat actors since security teams lack the visibility necessary to secure them. At Microsoft, we’ve found that users are 71% more likely to be infected on an unmanaged device.¹² Since they connect to company networks, unmanaged devices also present opportunities for attackers to launch broader attacks on servers and other infrastructure.

Unmanaged servers are also potential vectors for endpoint attacks. In 2021, Microsoft Security observed an attack where a threat actor took advantage of an unpatched server, navigated through directories, and discovered a password folder providing access to account credentials.

One of the most overlooked endpoint attack vectors is IoT (Internet of Things) — which includes billions of devices, both large and small. IoT security covers physical devices that connect to and exchange data with the network, such as routers, printers, cameras, and other similar devices. It can also include operational devices and sensors (operational technology, or “OT”), such as smart equipment on manufacturing production lines.

As the number of IoT devices grows, so does the number of vulnerabilities. By 2025, IDC predicts that 41 billion IoT devices will be present within enterprise and consumer environments.¹⁵ Since many organizations are hardening routers and networks to make them more difficult for threat actors to breach, IoT devices are becoming an easier and more appealing target. We’ve often seen threat actors exploit vulnerabilities to turn IoT devices into proxies — using an exposed device as a foothold onto the network. Once a threat actor has gained access to an IoT device, they can monitor network traffic for other unprotected assets, move laterally to infiltrate other parts of their target’s infrastructure, or perform reconnaissance to plan large-scale attacks on sensitive equipment and devices. In one study, 35% of security practitioners reported that in the past 2 years, an IoT device was used to conduct a broader attack on their organization.¹⁶

Unfortunately, IoT is often a black box for organizations in terms of visibility, and many lack proper IoT security measures. 60% of security practitioners cited IoT and OT security as one of the least secured aspects of their IT and OT infrastructure.¹⁷

Today, an organization’s external attack surface spans multiple clouds, complex digital supply chains and massive third-party ecosystems. The internet is now part of the network, and despite its almost unfathomable size, security teams must defend their organization’s presence throughout the internet to the same degree as everything behind their firewalls. And as more organizations adopt the principles of Zero Trust, protecting both internal and external attack surfaces has become an internet-scale challenge.

The global attack surface grows with the internet, and it is expanding every day. At Microsoft, we’ve seen evidence of this increase across many types of threats, such as phishing attacks. In 2021 Microsoft’s Digital Crimes Unit directed the removal of more than 96,000 unique phishing URLs and 7,700 phish kits, which led to the identification and closure of over 2,200 malicious email accounts used to collect stolen customer credentials.²⁴

The external attack surface extends far beyond an organization’s own assets. It often includes suppliers, partners, unmanaged personal employee devices connected to company networks or assets, and newly acquired organizations. Consequently, it is critical to be aware of external connections and exposure in order to mitigate potential threats. A 2020 Ponemon report revealed that 53% of organizations had experienced at least one data breach caused by a third party in the past 2 years, costing an average of $7.5 million to remediate.²⁵

As the infrastructure behind cyberattacks increases, gaining visibility into threat infrastructure and taking inventory of internet-exposed assets has become more urgent than ever. We’ve found that organizations often struggle to understand the scope of their external exposure, resulting in significant blind spots. These blind spots can have devastating consequences. In 2021, 61% of businesses experienced a ransomware attack that led to at least a partial disruption of business operations.²⁶

At Microsoft, we often tell customers to view their organization from the outside-in when evaluating security posture. Beyond VAPT (Vulnerability Assessment and Penetration Testing), it’s important to gain deep visibility into your external attack surface so you can identify vulnerabilities throughout the entirety of your environment and extended ecosystem. If you were an attacker trying to get in, what could you exploit? Understanding the full extent of your organization’s external attack surface is foundational to securing it.

How Microsoft can help

Today’s threat landscape is constantly changing, and organizations need a security strategy that can keep up. Increased organizational complexity and exposure, along with a high volume of threats and low barrier to entry in the cybercrime economy, make it more urgent than ever to secure every single seam within and between each attack surface.

Security teams need powerful threat intelligence to defend against today’s myriad and evolving threats. The right threat intelligence correlates signals from different places — providing timely and relevant context into current attack behavior and trends so security teams can successfully identify vulnerabilities, prioritize alerts, and disrupt attacks. And if a breach does occur, threat intelligence is critical to preventing further harm and improving defenses so a similar attack can’t happen again. Simply put, organizations that leverage more threat intelligence will be more secure and successful.

Microsoft has an unparalleled view of the evolving threat landscape, with 65 trillion signals analyzed daily. By correlating these signals in real time across attack surfaces, threat intelligence built into Microsoft Security solutions provides insight into the growing ransomware and threat environment, so you can see and stop more attacks. And with advanced AI capabilities, such as Microsoft Security Copilot, you can stay ahead of evolving threats and defend your organization at machine speed — empowering your security team to simplify the complex, catch what others miss, and protect everything.