Kathy Gibson reports – Cybercriminals are interested in your data and your money, and they are becoming increasingly good at getting their hands on both.
The 2025 Microsoft Digital Defense Report reveals that data is the adversaries’ primary focus area, closely followed by monetary gain.
“In 2025, only 4% of attacks were espionage,” says Kerissa Varma, chief security advisor for Microsoft Africa.
Artificial intelligence (AI) is helping bad actors to achieve their goals as it enables attacks, assists attackers in doing more, more quickly, and in monetising attacks.
The sectors under the most pressure from cyberattacks are government agencies and services (17%), IT (17%), research and academia (11%), NGOs (8%), critical manufacturing (6%), transportation systems (6%), consumer retail (6%), communications infrastructure (5%), financial services (4%) and healthcare and public health (4%).
“In South Africa, we have seen the impact of cyberattacks on healthcare services,” Varma points out. “And, globally, although it only attracts 4% of the attacks, the impact on human life, and how destructive it could be, can be huge.”
The top attack vectors over the past year were ClickFix (47%), phishing (35%), password spraying (19%), drive-by compromise and SEO poisoning (7%), and vulnerability (1%).
Again, Varma cautions against dismissing things like vulnerabilities. “This is still the most reliable way to get into an organisation,” she says. “Many organisations have aging infrastructure that is not patched, so while this is a small percentage of attacks, it is very reliable.”
Business email compromise (BEC) is another attack vector that appears insignificant, at 2%, but has an outsize impact. “Twenty-one percent of all attacks are from BEC. It outpaces ransomware, which sits at 16%.”
Interestingly, South Africa has emerged as a key launchpad for BEC infrastructure and money laundering attacks. Although originally from Nigeria, the Storm-2126 group has been active in South Africa from 2017. It uses ads for phishing, consumer email targeting, GoDaddy and domain attacks. The victims are US real estate, tile companies and law firms
But there are ways to circumvent the threats, Varma says. “If you have modern multifactor authentication, this reduces the risk of identity compromise by more than 99%.”
This is important, because, in the first half of 2025, identity-based attacks rose by 32%.
Even new technology is not foolproof: more than 97% of identity attacks use password spray or brute force attacks. “So attackers are using evasive techniques to get around the technology,” Varma says. “What they do is spin up new infrastructure, then pivot to new infrastructure to avoid detection.”
Compounding the threat complexity is the rise of the access brokers, a threat actor that breaks into an entity and sells access. “They don’t do anything, just break in, then sell access to another threat actor.
“This allows malicious actors to scale faster in the cybercrime as a service environment.”
Access brokers are most active against the public sector (772 attacks so far in 2025), followed by consumer and industrial products (488), professional services and consulting (438), manufacturing (344), technology, media and telecommunications (266), energy, resources and agriculture (204), life sciences and healthcare (150), financial services (142) and the non-profit sector (84).
For most attacks, initial access is via credential-based attacks (80%) vulnerability exploitation (17%), multiple (1,25%), malware operation (1,25%), and inside access (0,5%).
Typically, threat actors are staying inside systems for less time than they used to – but it’s still long enough to cause major damage.
“We know that the quicker you respond to an incident, the more you can reduce harm,” Varma says. “If you can contain or disrupt an attack you can reduce the harm.”
The average length of threat actor activity has been 58 days over the last year, with an average dwell time of just 12 days.
“Threat actors don’t always close down activity after those 12 days,” Varma says. “They will be active, steal data, open back doors, then exit. The entry is left open, so if they are undetected, they can come back.”
The dwell time is longest in government systems, sometimes up to three years, and threat actors can return again and again to harvest data.
AI is key to threat defense, Varma adds. “It can automate response and containment; detect threats faster and more accurately; identify gaps; and adapt to attacker behaviour.”
But AI is also being used by attackers. “There has been a rapid growth is assessed AI content samples attributed to nation-state adversaries,” Varma says. “AI is giving threat actors the ability to scale faster and reach more people.”
AI and automation is certainly working for the cybercrooks. The Microsoft study shows that there is a 4,5-times greater likelihood of a user clicking on a phishing email when it is AI automated. And these emails have a success rate of 54% compare to standard success rate of 12%.
Meanwhile, the profitability of attacks increases by 50-times for AI-enabled phishing attacks. “This incentivises increased AI usage,” Varma says. “It will only spur on more use of AI, ans is reduces the overhead while increasing profitability.”
In a worrying trend, some organisations are now hiring their own attackers. “We have seen a big campaign by north Korean threat actors who pose as people looking for jobs – they go through an interview process and get hired. Once they are inside the organisation, they can work to compromise it.”
Some threat actors create their own identities, when recruitment agencies don’t have good enough controls to pick them up. Alternatively, they can buy identities, so they actually have a legitimate identity that can be verified.
“Once hired they slowly infiltrate the organisation, and exfiltrate data,” Varma explains.
A variation on this scam is people posing as hiring companies and collecting data on job hopefuls.
Companies are urged to do pre-hire vetting: verify resume details, check for multiple social media profiles, scrutinise staffing firm hires, require multiple video calls with the application, avoid VoIP numbers, and confirm physical addresses.
Post-hire, they should monitor unauthorised tools, flag geographic anomalies, be alert to camera avoidance and use simple ID checks such as matching faces on video with laptop recipients.
“Cybersecurity is no longer just a technical issue, it is a strategic one,” Varma adds. “The defense landscape is shaped by AI acceleration, geopolitical conflict and the expansion of digital ecosystems.
“We urge companies to shift from creative defense to anticipatory, behaviour-based security models. Once you are in an incident it is very hard to get the processes and defenses in place; but if you are prepared it is easier to manage an incident. Companies must go from reactive to proactive.”
Varma offers some key recommendations for organisations:
- Manage cyber risk ats the boardroom level
- Prioritise protecting identities
- Invest in people not just tools
- Defend your perimeters
- Know your weaknesses and pre-plan for a breach
- Map and monitor cloud assets
- Build and train for resiliency
- Participate in intelligence sharing
- Prepare for regulatory changes
- Start AI and quantum risk planning now.