The AI-Powered Threat: Microsoft Reveals Surge in Identity and Nation-State Attacks

by ddos · October 20, 2025

Microsoft has released its Digital Defense Report 2025, documenting a sharp surge in attacks targeting digital identities, the misuse of artificial intelligence in cybercrime, and the heightened activity of state-sponsored threat groups. According to Microsoft Threat Intelligence, the number of account-based attacks rose by 32% in the first half of 2025, with more than 97% of incidents linked to password guessing and large-scale brute-force login attempts. Multi-factor authentication remains the single most effective defense, reducing the likelihood of compromise by over 99%.

A dedicated section of the report focuses on the abuse of AI technologies. The authors note that generative models have evolved from mere tools into integral components of cyberattacks. Threat actors now use AI to fabricate websites and profiles, clone voices and faces for fraud and social engineering. Over the past year alone, Microsoft blocked $4 billion worth of fraudulent transactions and prevented 49,000 attempts to register fake partner accounts. Each hour, the company’s infrastructure intercepts up to 1.6 million automated attempts to create counterfeit accounts.

The report underscores that the growing wave of attacks stems from the combined use of artificial intelligence and social engineering. Cybercriminals are deploying AI-generated phishing campaigns, automated exploitation techniques, and domain impersonation. Among the emerging threats, Microsoft highlights device code phishing, a technique now employed by both criminal syndicates and state-linked operators from Iran and China—with 93% of such incidents recorded in the latter half of 2025.

Device code phishing exploits the device-based authentication mechanism. Attackers, masquerading as system administrators, event organizers, or other trusted contacts, deceive victims into entering a code on a counterfeit authentication page. Once submitted, the attackers obtain access and refresh tokens, enabling password-free entry into corporate services and maintaining persistence for as long as the token remains valid.

Microsoft notes that these campaigns often originate through third-party messengers, bypassing traditional anti-spam filters. In some cases, victims were prompted to enter codes directly through Microsoft Teams invitations, lending the ruse an air of authenticity. Because these attacks utilize legitimate authentication tokens, standard anti-phishing defenses frequently fail to detect the intrusion—making this one of the most insidious evolutions of phishing to date.

A growing concern is the rise of “non-human identities”—services and applications with access to cloud resources. Compromising these entities allows attackers to move laterally within infrastructure and escalate privileges while remaining undetected. Microsoft reports a rise in attacks combining device code phishing, token theft, and OAuth consent manipulation—tactics that bypass multi-factor authentication and retain access even after password resets.

In its section on AI and nation-state threats, Microsoft warns of the rise of “AI adoption” by adversaries—organized efforts that wield generative technologies as weapons of information warfare. Documented cases include AI-generated doubles of television hosts, data poisoning of training sets, and voice cloning to craft credible propaganda videos. Such campaigns, the report warns, are becoming cheaper, more scalable, and harder to attribute—demanding a fundamental rethink of disinformation analysis models.

The report also examines cloud security, noting a 26% increase in attacks targeting Azure, alongside an 87% surge in destructive operations, and rises of 23% and 58% in data and credential theft, respectively. Hackers are increasingly exploiting built-in tools like Run Command to execute remote code, complicating detection and response efforts.

Microsoft concludes that the line between criminal and state-backed operations is rapidly dissolving, transforming cybercrime into a vast economy of services. Between 2024 and 2025, researchers identified 368 access brokers selling credentials and remote network entry points, with victims spanning 131 countries. The company urges businesses to treat security as an element of operational continuity, to foster collaborative threat intelligence sharing, and to begin strategic preparation for risks posed by quantum computing.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal