This is the Trace Id: aeb417c50ff502ce35c5a91b5e9e14d6
Skip to main content Security Insider Cyber Pulse Microsoft Digital Defense Report Threat landscape Emerging trends Risk management Leadership perspectives Operations Sign up for CISO Digest Microsoft Security Azure Dynamics 365 Microsoft 365 Microsoft Teams Windows 365 Microsoft AI Azure Space Mixed reality Microsoft HoloLens Microsoft Viva Quantum computing Sustainability Education Automotive Financial services Government Healthcare Manufacturing Retail Find a partner Become a partner Partner Network Microsoft Marketplace Software companies Blog Microsoft Advertising Developer Center Documentation Events Licensing Microsoft Learn Microsoft Research View Sitemap

Join us June 5 in DC for Sleuthcon, an intimate cybercrime discussion event. Register

Hot Cybercrime Summer

Understanding the Modern Cybercrime Operating Model

Register now Share
A map of a treasure island with labeled areas and markings.

Hot Cybercrime Summer: What’s driving the shift

Cybercrime is not a collection of isolated actors or incidents. It is an interconnected ecosystem, an operating model where specialized roles, shared infrastructure, and coordinated incentives enable continuous, interoperable activity.

That shift is easy to spot, but harder to really absorb. It pushes against a long-held assumption in security that incidents are one-off events you can contain and close out. What Microsoft Threat Intelligence is seeing now looks very different. It’s an ecosystem designed for scale, specialization, and constant adaptation

More than 65 financially motivated actors now operate within a structured supply chain that mirrors legitimate technology markets. Initial access brokers sell footholds into enterprise environments. Malware operators provide delivery at scale. Ransomware platforms enable repeatable execution. Affiliates carry out the final stage and monetize it.

The visible incident is only the final step.

In many cases, initial access was sold weeks earlier. Infrastructure and tooling were reused across campaigns. Multiple actors contributed to the outcome, each optimized for one part of the process. This separation of labor is not incidental. It is the model.

And it is one of the most important shifts in the threat landscape.

The role of AI in a scaling threat landscape

The actors we track already operate within a model built on reuse, coordination, and economic efficiency. What AI changes is how quickly that model iterates, how precisely it targets, and how easily capability can be distributed.

This is already visible.

Social engineering is becoming more convincing because it is more contextual. Phishing infrastructure is more modular and reusable. Techniques that once required depth of expertise are being packaged and distributed across affiliate ecosystems. Timelines that unfolded over weeks are compressing into days or hours.

At Microsoft, we are analyzing patterns of behavior, tooling, and infrastructure reuse across more than 65 financially-motivated actors operating within this ecosystem. AI allows us to connect those signals, identify relationships between campaigns, and understand how activity propagates across the system over time.

When relationships are visible early, and when behavior is understood in context rather than isolation, defense becomes less reactive. It becomes anticipatory.

AI raises the ceiling for both attackers and defenders. The differentiator is not access to the technology. It is the ability to turn data into understanding of the system itself, and to act on that understanding fast enough to matter.

Why this matters for security leadership

Security has always been complex. What has changed is how that complexity behaves.

In most domains, complexity eventually collapses into predictable patterns. In cybercrime, it does not. It compounds. The system continues to evolve because the incentives driving it remain intact.

The effectiveness of a security organization is increasingly determined by how well it understands the system it is operating within. That includes the ability to identify meaningful patterns, make decisions under pressure, and build resilience that holds as the threat changes.

What comes next

Over the coming months, we will be sharing a sequenced view into this ecosystem through our Hot Cybercrime Summer series, grounded in Microsoft Threat Intelligence and continuous tracking across more than 65 actors.

Each week on LinkedIn, we will break down a specific part of the operating model. You will see how different actors contribute to the same outcomes. You will see how activity that appears disconnected is often coordinated. And you will see where the system creates opportunities for earlier disruption.

If you want to understand how modern cybercrime actually works, follow the series on LinkedIn.

Register now
card-background

More like this

A snake wearing hat and people in hoodies using laptop in the background with text that reads SLEUTHY SLEUTHCON JUNE 5, 2026 CYBERCRIME CONGRESS ARLINGTON, VA & VIRTUAL.

Sleuthcon

Join us in the DC area for Sleuthcon, an intimate event to discuss the current state of cybercrime.
Register
A yellow folder with black text next to a stack of papers and a black rectangular object.

Get the latest intel

Stories from Microsoft Threat Intelligence uncover APTs, cybercrime, malware, and behind‑the‑scenes research shaping the changing threat landscape.
Subscribe to the podcast
A white line drawing of a paper in an envelope with the word New on a blue background.

Get the CISO Digest

Stay ahead with expert insights, industry trends, and security research in this bimonthly email series.
Sign up

Follow Microsoft Security

Surface Pro Surface Laptop Surface Laptop Studio 2 Copilot for organizations Copilot for personal use AI in Windows Explore Microsoft products Windows 11 apps Account profile Download Center Microsoft Store support Returns Order tracking Certified Refurbished Microsoft Store Promise Flexible Payments Microsoft in education Devices for education Microsoft Teams for Education Microsoft 365 Education How to buy for your school Educator training and development Deals for students and parents AI for education
Microsoft AI Microsoft Security Dynamics 365 Microsoft 365 Microsoft Power Platform Microsoft Teams Microsoft 365 Copilot Small Business Azure Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Software companies Visual Studio Careers About Microsoft Company news Privacy at Microsoft Investors Diversity and inclusion Accessibility Sustainability
English (United States) Consumer Health Privacy Sitemap Contact Microsoft Privacy Manage cookies Terms of use Trademarks Safety & eco Recycling About our ads