Microsoft Azure faced a sharp escalation in targeted attacks throughout 2025, according to the Microsoft Digital Defense Report 2025 and related threat intelligence. Disruptive campaigns surged 87%, driven by AI automation, credential abuse, and misconfigurations in storage/services. Nation-state actors (primarily China-linked) and cybercriminals shifted from traditional endpoints to cloud environments, exploiting identity, data exfiltration, and persistence tactics.
The year saw a clear shift in attacker tactics, with adversaries moving beyond traditional endpoints to exploit Azure’s vast ecosystem. Credential theft rose 23%, while data exfiltration incidents increased 58%. Attackers focused on high-value targets like Azure Blob Storage, using misconfigured access controls, leaked credentials, and supply chain compromises to gain persistent footholds.
AI played a pivotal role in this evolution. Generative AI tools automated phishing, lateral movement, and evasion techniques, enabling faster and more scalable campaigns. Ransomware groups integrated cloud components in 40% of incidents (up from less than 5% in 2023), blending on-premises encryption with Azure data theft for maximum extortion impact.
Nation-state actors, particularly China-linked groups, exploited Azure for command and control, persistence, and exfiltration in hybrid attacks. These operations often targeted critical infrastructure, blending espionage with disruptive capabilities. Overall, Azure became a prime battleground as cloud adoption accelerated, with attackers following the data to where it was most valuable.
Adversaries are increasingly attacking the cloud, with destructive campaigns up 87%… We are now tracking early indicators of autonomous malware capable of lateral movement and adaptive behavior. Microsoft Digital Defense Report 2025
Microsoft Digital Defense Report 2025
Microsoft Azure faced a sharp escalation in targeted attacks throughout 2025, according to the Microsoft Digital Defense Report 2025 and related threat intelligence. Disruptive campaigns surged 87%, driven by AI automation, credential abuse, and misconfigurations in storage/services. Nation-state actors (primarily China-linked) and cybercriminals shifted from traditional endpoints to cloud environments, exploiting identity, data exfiltration, and persistence tactics.
The year saw a clear shift in attacker tactics, with adversaries moving beyond traditional endpoints to exploit Azure’s vast ecosystem. Credential theft rose 23%, while data exfiltration incidents increased 58%. Attackers focused on high-value targets like Azure Blob Storage, using misconfigured access controls, leaked credentials, and supply chain compromises to gain persistent footholds.
AI played a pivotal role in this evolution. Generative AI tools automated phishing, lateral movement, and evasion techniques, enabling faster and more scalable campaigns. Ransomware groups integrated cloud components in 40% of incidents (up from less than 5% in 2023), blending on-premises encryption with Azure data theft for maximum extortion impact.
Nation-state actors, particularly China-linked groups, exploited Azure for command and control, persistence, and exfiltration in hybrid attacks. These operations often targeted critical infrastructure, blending espionage with disruptive capabilities. Overall, Azure became a prime battleground as cloud adoption accelerated, with attackers following the data to where it was most valuable.
Adversaries are increasingly attacking the cloud, with destructive campaigns up 87%… We are now tracking early indicators of autonomous malware capable of lateral movement and adaptive behavior. Microsoft Digital Defense Report 2025
Microsoft Digital Defense Report 2025