According to new research from Microsoft, identity-based attacks surged by 32% in the first half of 2025, and 97% of those attacks were password spray or brute force attacks.
This figure comes from Microsoft’s latest Digital Defense Report, which dives into the scale and sophistication of cyberthreats, the impact of emerging technologies on those threats, and the ways in which the industry can defend against them.
While the report covered a broad range of attack methods observed between July 2024 and June 2025, this statistic is particularly striking, say the researchers behind the report, because it highlights how—despite headlines warning us about increasingly sophisticated attack methods—most identity attacks still exploit the age-old problem of weak and overused passwords.
This means that password cracking attacks are behind most malicious sign-in attempts. In these attacks, adversaries typically obtain lists of usernames and passwords from credential leaks, or simply use lists of common and over-used passwords to “guess” their victims’ login details at scale.
Identity-related techniques are some of the most common initial access routes being used by attackers, the report found, with 28% of all breaches being initiated through phishing or social engineering.
But who are the main targets of these attacks?
According to Microsoft, government organizations, IT companies, and research and academic institutions were the most impacted by cyberthreats this year—all of which typically handle vast amounts of Personally Identifiable Information (PII). PII is not only one of the most valuable types of data, but it also enables attackers to carry out further identity attacks, such as identity-related fraud.
Looking to the future, we can expect threat actors to increasingly leverage AI-powered social engineering to gain initial access, Microsoft says.
“For example, these threat actors will leverage […] autonomous malware capable of lateral movement, vulnerability discovery, and privilege escalation without human intervention. Or they could use AI-powered agents capable of adapting in real time to defensive environments, rerouting command and control channels or rewriting payloads dynamically to evade EDR systems.”
This could enable attackers to carry out multi-vector intrusions at scale, with little operational overhead or cost.
Actions For Defense
Though the prevalence of these attacks may be surprising, the methods for defending against them should not be. Multi-Factor Authentication (MFA) still remains the most effective means of mitigating identity-related breaches, with modern MFA tools blocking over 99% of unauthorized access attempts. This makes MFA “the single most important security measure an organization can implement,” says Microsoft.
For additional security, organizations should consider implementing a phishing-resistant form of MFA, the company adds, such as passkeys—which were recently found to be twice as successful as other authentication methods.
Passkeys make it almost impossible for an attacker to carry out a large-scale credential-theft attack, Andrew Shikiar, Executive Director and CEO at FIDO Alliance, told Expert Insights, because they typically require users verify their identity via biometrics in order to activate the private key that will enable them to log in.
“There’s no way to spoof that, so the only way you can get my private key is to physically take my device, which you could do on a one-to-one basis, but the scalable attacks that are plaguing our economy and causing massive breaches go away with this model,” Shikiar says.
In addition to implementing phishing-resistant MFA, Microsoft recommends that organizations should investigate all credential theft alerts rather than dismiss them as routine. They also suggest that government, NGO, and academic entities should prioritize securing their data and identity-facing assets.
