Anatomy of a Modern Attack Surface

Originally published by Microsoft Security.

Six areas for organizations to manage

As the world becomes more connected and digital, cybersecurity is becoming more complex. Organizations are moving more infrastructure, data, and apps to the cloud, supporting remote work, and engaging with third-party ecosystems. Consequently, what security teams must now defend is a broader, more dynamic environment and an expanded set of attack surfaces.

Threat actors are taking advantage of this complexity, exploiting gaps in an organization’s protections and permissions and executing relentless, high-volume attacks. Attacks are often multi-faceted, spanning several elements of an organization’s operations and infrastructure. Attackers are also becoming more coordinated across a growing cybercrime-as-a-service landscape.

Keeping up with today’s threats means securing every main attack surface, including email, identity, endpoint, Internet of Things (IoT), cloud and external. From a security perspective, you’re only as strong as your weakest links — and attackers are getting better at finding those. The good news is that most threats can be stopped by implementing basic security measures. In fact, we’ve found that basic security hygiene still protects against 98% of cyberattacks.[2]

End-to-end visibility into threats is foundational for good security hygiene. The right threat intelligence gives security teams a comprehensive view of the threat landscape, enabling them to stay ahead of emerging threats and continually refine their defenses. And when threat actors do get in, holistic threat intelligence is essential to learning what happened and preventing it from happening again.

Below we’ll discuss threat trends and challenges related to six main attack surfaces in an organization: email, identity, endpoint, IoT, cloud, and external. Towards the end, we’ll come back to how the right threat intelligence can tilt the playing field and give security teams a powerful advantage.

1. Email remains a top threat vector and focus area for defense

For most organizations, email is an essential part of daily business operations. Unfortunately, email remains a top threat vector. 35% of ransomware incidents in 2022 involved the use of email.[4] Attackers are carrying out more email attacks than ever before — in 2022, the rate of phishing attacks increased by 61% compared to 2021.[5]

Attackers also now commonly leverage legitimate resources to carry out phishing attacks. This makes it even more difficult for users to differentiate between real and malicious emails, increasing the likelihood that a threat slips through. Consent phishing attacks are one example of this trend, where threat actors abuse legitimate cloud service providers to trick users into granting permissions to access confidential data.

Without the ability to correlate email signals into broader incidents to visualize attacks, it can take a long time to detect a threat actor that gained entry via email. And by then it may be too late to prevent the damage. The median time it takes for an attacker to access an organization’s private data is just 72 minutes.[6] This can result in serious losses at the enterprise level. Business email compromise (BEC) cost an estimated $2.4 billion in adjusted losses in 2021.[7]

In addition to safeguards such as URL checking and disabling macros, employee education is essential to preventing threats from having an impact. Simulated phishing emails and instructional materials on how to identify malicious content (even when it appears legitimate) are critical preventative security measures. We anticipate threat actors will continue to increase the quality of social engineering in their email attacks, leveraging AI and other tools to improve the persuasiveness and personalization of malicious emails. And this is just one example — as organizations get better at addressing today’s email threats, the threats will continue to evolve.

2. The expanded identity landscape also expands opportunities for threat actors

In today’s cloud-enabled world, securing access has become more critical than ever. As a result, gaining a deep understanding of identity across your organization — including user account permissions, workload identities, and their potential vulnerabilities — is vital, especially as attacks increase in frequency and creativity.

The number of password attacks rose to an estimated 921 attacks every second in 2022 — a 74% increase from 2021.[8] At Microsoft, we’ve also seen threat actors get more creative in circumventing multi-factor authentication (MFA), using techniques such as adversary-in-the-middle phishing attacks and token abuse to gain access to organizations’ data. Phishing kits have made it even easier for threat actors to steal credentials. Microsoft’s Digital Crimes Unit has observed an increase in phishing kit sophistication over the past year, along with very low barriers to entry — with one seller offering phishing kits for as little as $6 per day.[9]

Managing the identity attack surface is more than securing user accounts — it spans cloud access, as well as workload identities. Compromised credentials can be a powerful tool for threat actors to use in wreaking havoc on an organization’s cloud infrastructure.


Attackers are frequently gaining access to third-party accounts or other highly privileged accounts connected to an organization, and then using those credentials to infiltrate the cloud and steal data. Though workload identities (identities assigned to software workloads like applications to access other services and resources) are often overlooked in permissions auditing, identity information hidden in workloads can give a threat actor access to an entire organization’s data.

As the identity landscape continues to expand, we expect that attacks targeting identity will continue to grow both in volume and variety. This means maintaining a comprehensive understanding of identity and access will continue to be mission critical.

3. Hybrid environments and shadow IT have increased endpoint blind spots

Given the sheer number of devices in today’s hybrid environment, securing endpoints has become more challenging. What hasn’t changed is that securing endpoints — particularly unmanaged devices — is critical to a strong security posture, since even one compromise can give threat actors entry into your organization.

As organizations have embraced BYOD (“Bring Your Own Device”) policies, unmanaged devices have proliferated. Consequently, the endpoint attack surface is now larger and more exposed. On average, there are 3,500 connected devices in an enterprise that are not protected by an endpoint detection and response agent.[11]

Unmanaged devices (which are part of the “shadow IT” landscape) are particularly appealing to threat actors since security teams lack the visibility necessary to secure them. At Microsoft, we’ve found that users are 71% more likely to be infected on an unmanaged device.[12] Since they connect to company networks, unmanaged devices also present opportunities for attackers to launch broader attacks on servers and other infrastructure.

Unmanaged servers are also potential vectors for endpoint attacks. In 2021, Microsoft Security observed an attack where a threat actor took advantage of an unpatched server, navigated through directories, and discovered a password folder providing access to account credentials.

The attacker then signed into numerous devices throughout the organization to collect and exfiltrate extensive amounts of data, including intellectual property. This likely allowed the attacker to threaten release of the information if the subsequent ransom wasn’t paid. This is a practice known as “double extortion,” and it’s a concerning scenario we’ve seen more frequently over the past year.[13] And even if the ransom is paid, there’s no guarantee that data will be unencrypted or even returned at all.

With the number of endpoints continuing to grow, threat actors will undoubtedly continue to see endpoints (particularly unmanaged ones) as attractive targets. As a result, improving endpoint visibility and security hygiene can offer organizations significant value.

4. IoT devices are growing exponentially—and so are IoT threats

One of the most overlooked endpoint attack vectors is IoT (Internet of Things) — which includes billions of devices, both large and small. IoT security covers physical devices that connect to and exchange data with the network, such as routers, printers, cameras, and other similar devices. It can also include operational devices and sensors (operational technology, or “OT”), such as smart equipment on manufacturing production lines.

As the number of IoT devices grows, so does the number of vulnerabilities. By 2025, IDC predicts that 41 billion IoT devices will be present within enterprise and consumer environments.[15] Since many organizations are hardening routers and networks to make them more difficult for threat actors to breach, IoT devices are becoming an easier and more appealing target. We’ve often seen threat actors exploit vulnerabilities to turn IoT devices into proxies — using an exposed device as a foothold onto the network. Once a threat actor has gained access to an IoT device, they can monitor network traffic for other unprotected assets, move laterally to infiltrate other parts of their target’s infrastructure, or perform reconnaissance to plan large-scale attacks on sensitive equipment and devices. In one study, 35% of security practitioners reported that in the past 2 years, an IoT device was used to conduct a broader attack on their organization.[16]

Unfortunately, IoT is often a black box for organizations in terms of visibility, and many lack proper IoT security measures. 60% of security practitioners cited IoT and OT security as one of the least secured aspects of their IT and OT infrastructure.[17]


IoT devices themselves often contain dangerous vulnerabilities. Microsoft intelligence data uncovered that 1 million connected devices publicly visible on the Internet are running the Boa web server, an outdated, unsupported software still widely used in IoT devices and software development kits (SDKs).[18]

A growing number of countries are taking note of these blind spots and mandating improvements in IoT device cybersecurity.[19,20] These regulations are an indicator of the increased focus on IoT security, as businesses and consumers alike become more concerned about IoT device vulnerabilities. While IoT is currently in the spotlight, cybersecurity regulations are expanding in other areas too, making it even more urgent for organizations to gain visibility across attack surfaces.

5. Protecting the cloud is both critical and complex

Organizations are increasingly moving infrastructure, application development, workloads and massive amounts of data to the cloud. Securing the cloud environment means defending a range of services, including SaaS, IaaS and PaaS, distributed across multiple clouds. Given the breadth and distribution of services involved, it can be difficult to get the proper level of visibility and protection at each layer.

Many organizations struggle to gain end-to-end visibility across their cloud ecosystem, especially as data increasingly resides in multiple cloud and hybrid environments. Too often, this lack of visibility means there is a security gap. At Microsoft, we’ve found that 84% of organizations who suffered ransomware attacks did not integrate their multi-cloud assets with their security tooling, a critical oversight.[21]

The widespread move to the cloud has also increased the number of new attack vectors for cybercriminals to exploit, with many gaining access through gaps in permissions security. Unknown code-based vulnerabilities in applications developed in the cloud have dramatically increased the risk of compromise. As a result, the top cloud attack vector we’re seeing across organizations is now cloud app development.


Embracing a “Shift-left” security approach — incorporating security thinking in the earliest stages of app development — can help organizations strengthen their security posture and avoid introducing these vulnerabilities in the first place.

Cloud storage is another increasingly common attack vector, as incorrect permissions can put user data at risk. Additionally, cloud services providers themselves can be compromised. In 2021, Midnight Blizzard (a Russia-linked threat actor group formerly known as NOBELIUM) launched phishing attacks against a cloud services provider in an attempt to compromise and leverage privileged government customer accounts.[22] This is just one example of a modern cloud threat, and we expect to see further cross-cloud attacks in the future.

6. Securing the external attack surface is an internet-scale challenge

Today, an organization’s external attack surface spans multiple clouds, complex digital supply chains and massive third-party ecosystems. The internet is now part of the network, and despite its almost unfathomable size, security teams must defend their organization’s presence throughout the internet to the same degree as everything behind their firewalls. And as more organizations adopt the principles of Zero Trust, protecting both internal and external attack surfaces has become an internet-scale challenge.

The external attack surface extends far beyond an organization’s own assets. It often includes suppliers, partners, unmanaged personal employee devices connected to company networks or assets, and newly acquired organizations. Consequently, it is critical to be aware of external connections and exposure in order to mitigate potential threats. A 2020 Ponemon report revealed that 53% of organizations had experienced at least one data breach caused by a third party in the past 2 years, costing an average of $7.5 million to remediate.[25]


As the infrastructure behind cyberattacks increases, gaining visibility into threat infrastructure and taking inventory of internet-exposed assets has become more urgent than ever. We’ve found that organizations often struggle to understand the scope of their external exposure, resulting in significant blind spots. These blind spots can have devastating consequences. In 2021, 61% of businesses experienced a ransomware attack that led to at least a partial disruption of business operations.[26]

It's important to view your organization from the outside-in when evaluating security posture. Beyond VAPT (Vulnerability Assessment and Penetration Testing), it’s important to gain deep visibility into your external attack surface so you can identify vulnerabilities throughout the entirety of your environment and extended ecosystem. If you were an attacker trying to get in, what could you exploit? Understanding the full extent of your organization’s external attack surface is foundational to securing it.

For more security insights and guidance visit Security Insider: Cybersecurity + Threat Intelligence | Security Insider (microsoft.com).

2. 2022 Microsoft Digital Defense Report, p. 108
4. 2022 Verizon Data Breach Investigations report, p. 28
5. SlashNext’s State of Phishing Report Reveals More Than 255 Million Attacks in 2022, Signaling a 61% Increase in Phishing Year-Over-Year (prnewswire.com)
6. 2022 Microsoft Digital Defense Report, p. 21
7. 2021 FBI Internet Crime Report, p. 3
8. 2022 Microsoft Digital Defense Report, p. 2
9. 2022 Microsoft Digital Defense Report, p. 19
11. 2022 Microsoft Digital Defense Report, p. 92
12. Secure unmanaged devices with Microsoft Defender for Endpoint now – Microsoft Security Blog
13. The many lives of BlackCat ransomware – Microsoft Security Blog
15. The Growth in Connected IoT Devices is Expected to Generate 79.4ZB of Data in 2025, According to a New IDC Forecast | Business Wire
16. “The State of IoT/OT Cybersecurity in the Enterprise” 2021 Ponemon Institute Research Report, p. 2
17. “The State of IoT/OT Cybersecurity in the Enterprise” 2021 Ponemon Institute Research Report, p. 2
18. 2022 Microsoft Cyber Signals Report, p. 3
19. EU Cyber Resilience Act | Shaping Europe’s digital future (europa.eu)
20. Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products, NIST 2022
21. 2022 Microsoft Digital Defense Report, p. 16
22. 2022 Microsoft Digital Defense Report, p. 37
25. The Rise Of Third-Party Digital Risk (forbes.com)
26. Malware Statistics in 2023: Frequency, impact, cost & more (comparitech.com)