Cybersecurity insights from industry experts.

5 Attack Trends Organizations of All Sizes Should Be Monitoring

Recent trends in breaches and attack methods offer a valuable road map to cybersecurity professionals tasked with detecting and preventing the next big thing.

Microsoft Security, Microsoft

April 25, 2024

3 Min Read
Five Darts Hit Bulls-Eye on Dart Board Competition. 4 darts are blue and one dart is red.
Source: YAY Media AS via Alamy Stock Photo

Cybersecurity is constantly evolving and, as such, requires regular vigilance.

Microsoft analyzes more than 78 trillion security signals every day to better understand the latest attack vectors and techniques. Since last year, we noticed a shift in how threat actors are scaling and leveraging nation-state support. It's clear that organizations continue to experience more attacks than ever before, and attack chains are growing more complex. Dwell times have shortened and tactics, techniques, and procedures (TTPs) have evolved to become nimbler and more evasive in nature. 

Informed by these insights, here are five attack trends end-user organizations should be monitoring regularly.

Achieving Stealth By Avoiding Custom Tools and Malware

Some threat actor groups are prioritizing stealth by leveraging tools and processes that already exist on their victims' devices. This allows adversaries to slip under the radar and go undetected by obscuring their actions alongside other threat actors that are using similar methods to launch attacks. 

An example of this trend can be seen with Volt Typhoon, a Chinese state-sponsored actor that made headlines for targeting US critical infrastructure with living-off-the-land techniques.

Combining Cyber and Influence Operations for Greater Impact

Nation-state actors have also created a new category of tactics that combines cyber operations and influence operations (IO) methods. Known as "cyber-enabled influence operations," this hybrid combines cyber methods — such as data theft, defacement, distributed denial-of-service, and ransomware — with influence methods — like data leaks, sockpuppets, victim impersonation, misleading social media posts, and malicious SMS/email communication — to boost, exaggerate, or compensate for shortcomings in adversaries' network access or cyberattack capabilities. 

For example, Microsoft has observed multiple Iranian actors attempting to use bulk SMS messaging to enhance the amplification and psychological effects of their cyber-influence operations. We're also seeing more cyber-enabled influence operations attempt to impersonate purported victim organizations or leading figures in those organizations to add credibility to the effects of the cyberattack or compromise.

Creating Covert Networks By Targeting SOHO Network Edge Devices

Particularly relevant for distributed or remote employees is the rising abuse of small-office/home-office (SOHO) network edge devices. More and more, we're seeing threat actors use target SOHO devices — such as the router in a local coffee shop — to assemble covert networks. Some adversaries will even use programs to locate vulnerable endpoints around the world and identify jumping-off points for their next attack. This technique complicates attribution, making attacks appear from virtually anywhere.

Rapidly Adopting Publicly Disclosed POCs for Initial Access and Persistence 

Microsoft has increasingly observed certain nation-state subgroups adopting publicly disclosed proof-of-concept (POC) code shortly after it is released to exploit vulnerabilities in Internet-facing applications.

This trend can be seen in threat groups like Mint Sandstorm, an Iranian nation-state actor that rapidly weaponized N-day vulnerabilities in common enterprise applications and conducted highly targeted phishing campaigns to quickly and successfully access environments of interest.

Prioritizing Specialization Within the Ransomware Economy

We've been observing a continued move toward ransomware specialization. Rather than carry out an end-to-end ransomware operation, threat actors are choosing to focus on a small range of capabilities and services. 

This specialization has a splintering effect, spreading components of a ransomware attack across multiple providers in a complex underground economy. No longer can companies think of ransomware attacks as just coming from an individual threat actor or group. Instead, they may be combating the entire ransomware-as-a-service economy. In response, Microsoft Threat Intelligence now tracks ransomware providers individually, noting which groups traffic in initial access and which offer other services.

As cyber defenders look for more effective ways to harden their security posture, it's important to reference and learn from significant trends and breaches in years past. By analyzing these incidents and understanding different adversaries' motives and favored TTPs, we can better prevent similar breaches from happening in the future.

— Read more Partner Perspectives from Microsoft Security

Read more about:

Partner Perspectives

About the Author(s)

Microsoft Security


Protect it all with Microsoft Security.

Microsoft offers simplified, comprehensive protection and expertise that eliminates security gaps so you can innovate and grow in a changing world. Our integrated security, compliance, and identity solutions work across platforms and cloud environments, providing protection without compromising productivity.

We help customers simplify the complex by prioritizing risks with unified management tools and strategic guidance created to maximize the human expertise inside your company. Our unparalleled AI is informed by trillions of signals so you can detect threats quickly, respond effectively, and fortify your security posture to stay ahead of ever-evolving threats.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights