Nearly 60% of all phishing attacks impersonate Microsoft and about half a million Microsoft 365 accounts were compromised in 2021, new data shows.

Barracuda Networks' telemetry — from from millions of emails it analyzed — shows that in 2021, a little over half of all social engineering attacks came via phishing, and Microsoft was the most-impersonated brand in those attack attempts. Overall, attackers sent 3 million emails from 12,000 compromised accounts, and one in five organizations suffered an account compromise last year.

It may seem counterintuitive, but an employee at a small business with less than 100 employees sees, on average, 350% more social engineering attacks than an employee at a larger organization, the report says. Large organizations get hit with more attacks due to their size, Barracuda says.

"For example, a business with over 2,000 employees will be targeted with over 5,000 social engineering email attacks every year. That number is a lot smaller for organizations with fewer employees," according to the report. "However, the picture is reversed when it comes to the volume of attacks per mailbox. The smaller the organization, the more likely their employees are to be targets for an attack" because they typically don't have security expertise or resources.