Microsoft’s 2024 Digital Defense Report
In a world obsessed with next-gen security, it’s almost ironic that the most effective cyberattacks are the simplest. The Microsoft 2024 Digital Defense Report exposes a hard truth—old-school password attacks are prevalent and effective. While we put our faith in MFA and biometric scans, hackers stroll through the front door using weak passwords we’ve neglected to strengthen. It’s a reminder that additional security layers won’t save us if the foundation is crumbling.
CaaS is a new sector of cybercrime where any would-be adversary can pick up pre-packaged tools with no coding skills required. Need to breach a system? There’s a service for that, which allows those with limited hacking skills to gain unauthorized access. With AI in the mix, attacks are bigger, bolder, and, worse yet, automatic.
“Cybercriminals are leveraging the growing cybercrime-as-a-service (CaaS) ecosystem as well as AI technologies to launch phishing and social engineering attacks at scale.”
CaaS marketplaces sell virtually everything from data bundles to bot armies, fueling an entire cottage industry where criminals of all skill levels now thrive. Attacks skyrocket, precision tactics unfold, and MFA shows its weakness under this sophisticated pressure.
MFA, often mistakenly thought to be an effective compensating control for weak or compromised passwords, is now showing its weakness against phishing, QR code tricks, and other forms of compromise.
“In QR code phishing, threat actors send phishing messages containing a code encoded with a URL. The message prompts the recipient to scan the QR code with their device, redirecting them to a fake sign-in page where they are prompted to input their credentials. This page may include AiTM capabilities that circumvent some forms of MFA.”
It’s no longer a question of how secure MFA is—it’s how fast hackers can dismantle it. It’s often far easier to capture an MFA code using these techniques versus trying to compromise a full password, making this tactic effective for accounts that already have a compromised password. The “Adversary-in-the-Middle” (AiTM) technique is an increasingly common example of this. Attackers slip right between the user and the verification process, siphoning off MFA codes and breaking through defenses that, in hindsight, seem just a bit too optimistic.
Now, imagine the attacker inside your account setting up their own device for ongoing access. After that first breach, they slip in a phone number or register a second device, camouflaging their presence.
“After compromising a user account, the attacker attempts to add an additional device for MFA, such as a phone number to approve two-factor authorization or registering a new device with an authenticator, to maintain ongoing access.”
So even if they gain access once, this access becomes permanent. And then there’s the helpdesk angle—threat actors can communicate with support, impersonating users quite convincingly. Some helpdesks are raising the bar with video call verifications, but deepfake tech lurks around the corner, ready to sabotage even these measures.
Biometrics was once though to be intrinsically strong where passwords were weak. Fingerprints, face scans, and retinal scans were all thought to be unique and virtually unhackable. Then came deepfakes, sophisticated enough to imitate voices, faces, and expressions in real time. Insecure biometrics raise the stakes in a game that’s already too high.
“As deepfakes become more common in the business environment, organizations will have to implement countermeasures, such as requiring additional verification for transactions.”
And there’s a related statistic from Gartner in response to this: by 2026, nearly a third of businesses might abandon facial recognition, a foreshadowing of how faith in biometrics is eroding.
You’d think attackers would grow bored with old-school tactics, right? Numbers don’t lie, and Microsoft’s Entra data delivers a jaw-dropping statistic: of more than 600 million identity attacks per day, over 99% are password-based in 2024. Password spraying, phishing, and keylogging aren’t fading in popularity; they’re as common as ever.
“Most Account Takeovers (ATOs) still happen through simple methods like password spraying, phishing, keylogging, and using passwords from previous attacks found on the web.”
SIM swapping isn’t high-tech, but it’s devastatingly effective. By conning a mobile carrier, attackers reroute a victim’s SIM to their device, effortlessly capturing one-time codes, passcodes, and more.
“In SIM swapping, the threat actor contacts a mobile carrier and gets a target victim’s SIM card moved to their own device.”
It’s a smart shortcut straight to MFA bypass, a loophole attackers can exploit with alarming ease.
An effective security stack requires a strong foundation, layers, and redundancies all woven together. This report shouldn’t be all doom and gloom, there are powerful ways to protect your environment. Password policies are a critical piece of the puzzle, and automated solutions like Enzoic for Active Directory help enforce stronger, unique passwords by cross-checking against compromised lists. Such tools protect accounts before MFA even gets involved, keeping accounts secure and managing the risk against the top cause of a data breach. For those looking to protect other systems, Enzoic’s APIs provide this essential layer to any system by continuously monitoring passwords and instantly alerting users to change passwords if a risk or compromise is detected to proactively prevent account takeover and mitigate the risk associated with MFA vulnerabilities.
AUTHOR
Josh Parsons
Josh is the Product Manager at Enzoic, where he leads the development and execution of strategies to bring innovative threat intelligence solutions to market. Outside of work, he can be found at the nearest bookstore or exploring the city’s local coffee scene.