MSFT 2024 Digital Defense Report
The 2024 Microsoft Digital Defense Report delivers a clear warning to Managed Service Providers: the threat landscape is evolving faster than ever. In this week’s Cyber Call, we broke down the report’s most pressing insights—and what they mean for MSPs. One of the most alarming trends is the increasing collaboration between nation-state actors and cybercriminals. These groups are no longer operating independently; they’re sharing tools, infrastructure, and expertise. This creates more sophisticated, resource-backed threats that are harder to detect and attribute. MSPs need to evolve their threat intelligence strategies accordingly.
Healthcare has become a primary target, with ransomware campaigns disrupting not only hospitals but also pharmaceutical companies and biomedical labs. The report shows these attacks are driven by opportunity, not ethics. MSPs supporting healthcare clients must tailor their solutions with industry-specific safeguards. Supply chain attacks remain a top concern, especially for IT vendors and service providers. The SolarWinds attack was just the beginning—MSPs must implement strict inventory management and ensure vendor accountability.
Phishing is not going away—it’s becoming more advanced. The report shows a 58% increase, with bad actors using AI, deepfakes, and sophisticated spoofing to bypass traditional defenses. QR codes are now part of the attacker’s arsenal, used to redirect unsuspecting users to malicious websites. Business Email Compromise (BEC) and inbox rule manipulation remain persistent, subtle ways attackers maintain access to sensitive systems.
So what can MSPs do? Start by implementing and enforcing strong identity programs, including multi-factor authentication, conditional access, and, where possible, hardware tokens. Monitoring for anomalous behavior must be a standard part of your detection strategy. Adopting Zero Trust principles—never trust, always verify—is no longer a best practice; it’s a requirement. Equally important is educating clients: from phishing awareness to QR code risks, user behavior is still a major line of defense.
The 2024 Microsoft Digital Defense Report is a roadmap for the future of cybersecurity. MSPs that take these threats seriously and adjust their service models now will be better positioned to protect clients, reduce incidents, and lead in an increasingly hostile digital world.
Guests
Video Transcript
Oh no. Did my camera just go out? You got a Yes. It just went out. It just went out. We just went live. But what they all see you as we let everybody come in. Welcome, everybody. So now we went el got your El Gado, whatever that Well, Yeah, it's 'cause I switched. My DSLR took a crap on me the other day, so, Ah, okay. Let me see. Oh my God. Welcome everybody. As Mackenzie works on her, uh, her technical, uh, issues. It was just, um, so I'll talk about, talk real quick about my technical issues.
You might see me like going back and forth a little bit. I was telling Gary and Phy McKenzie this, so the, my hurricane woes continue. We, we had to take down some trees that were leaning this weekend. And the good news is if you're in Tampa and this area, um, you guys probably know there's just piles and piles of debris of trees and branches and everything. Um, and I walked back in the house and no internet.
Well, the good news is they came and, you know, brought these massive, you know, big tractors and picked up everything. The bad news is they decided to rip up, ripped my fiber line outta my out of the ground. During happens during the, yeah, exactly. During the process. So, um, I'll be looking back and forth. I have no printer. Uh, 'cause it's connected to wifi. I'm out here on my porch. My neighbor was kind enough to let me hook into his wifi. Um, but we will get going. Uh, ne nevertheless.
Mackenzie, how are you doing there? As I set the stage and we'll, we'll kick things off. I love the delay. I'm doing good. Minus uh, minus my camera's still giving me issues. All right. We'll let you, we'll let you, It was just working. You saw me, Bob saw me. They know it was working. Yeah, we, we, we do, we do know you're here. It's not, it's not deep fake a uh, uh, uh, Deep fake Mac. Right. Deep fake Mac.
What I would say is, if one of our cameras had to be broken, it really should be Andrew's or Mayan, not yours. No one needs to see us. Exactly. Yes, I agree. Gary was, Gary was b berating me that I do need some type of backup. Um, and yes, either starlink or some type. Uh, I do need to, uh, to get, um, I put in the, um, uh, chat as, um, I continue to stall here for you Mackenzie, but I put in the chat, um, that is the 2024 Microsoft Digital Defense Report and let's get going.
'cause the first few questions I got are for Gary and Phyllis. Alright. So Gary, hard to believe, but we are in the final two months of, uh, 2024. I, it's, it's, I I guess is it true that the years go faster as you get older? 'cause it certainly feels that Way. Yes. It, it is actually from a relative standpoint, it is proven that, uh, time speeds up as we race towards death. Interesting. Well, always you, always you to make me feel just brighter and cheery.
Um, but, um, uh, you know, this is actually one of my, has become, I think one of my favorite threat reports because, um, Microsoft has obvi from a data set, um, with M 365 and Azure for MSPs. I think, you know, one of the most complete, um, and, and extensive data sets that we need to be aware of and that who is, you know, looking and attacking us. Uh, but again, and, and again, you know, just more extensively, uh, you know, just enterprises in general are, are using Microsoft more than ever.
So, um, I thought it was really fitting that we, because this report just came out and it looks like, like a backward 12 months, um, bringing on Mac, who, um, will have introduce herself shortly. Um, who worked at the Microsoft dar, I thought it was really fit. Can I introduce someone? Yeah, Of course. That's Mary. Oh, aw. She's, she's so adorable. Ella Pika, my, my first grandchild. Aw, She's adorable. I I got the picture from Gary Jr. Um, that I know.
You know how they say some babies are like, oh, the babies beautiful. She's gorgeous. Yeah, I know. Everyone says their grandchild is the cutest, but yeah, she's actually the cutest. Yeah, she's gorgeous. Wow. She's beautiful. Yeah, my daughter was pretty darn cute though. Gary, I'll, I'll have to I'm sure. By The way, speaking of kids, grandkids, Jackie started her first day as an official SOC analyst today at ReliaQuest Big. That's amazing. Yeah, yeah, yeah. And special.
You're Passing on the family business. That's right. Um, and, and Phyllis, I have to thank you, um, for mentoring her for one and a half to two years and then working as an intern at CIS. So, uh, yeah, very exciting stuff. Yeah, sure. Anytime. Well, I mean, we'll continue to keep in touch, So. Oh, absolutely. Absolutely. Alright, so let's do this. Um, Mac, um, do you Wanna add my, uh, other self to this? And I'll drop from this call? To be honest, I just pulled up my MacBook.
Oh, you, I, I figured it out. It told me that for whatever reason, restream does not like the upload speed attached to El Dodo cameras. So there, Perfect. There. You're, you're better. There you go. Much better. Yeah. Good to see you Mac. Perfect timing for you. Uh, as I was saying, is, it was really fitting.
I know you're over at Black Point now, but you spent many years at the dart, so maybe you could share a little bit about what that is and, um, you know, as you give your intro so that people can understand your background and, uh, obviously what you're doing today. But this report is, um, like I said, you know, certainly, you know, Verizon, you know, is the, you know, gold standard and so much of what Phyllis does with C cis and VER and the Veris report and everything is so intertwined there.
But I just love what Microsoft is, is doing from its dataset perspective. It's so relevant to MSPs. So anyway, Mac, welcome. For those that may not know you, tell, tell us a little about yourself and Yeah. Okay. Um, actually let me make Sure, do you want, do you need notes? Leave leave the site. There we go. There we go. No, I'm good. I'm good. I'm just gonna be winging it.
Um, Mackenzie Brown, if you guys haven't met me, I'm at Black Point Cyber, um, VP of PG, so I run our adversary pursuit group. Um, we are the threat intelligence threat research unit that lives within, inside of Black Point's Response Operation Center or soc. So we do a lot of cool things, but we, um, I'm a huge fan girl of MDDR. Um, as Andrew was saying, I spent, uh, four years at Microsoft on the, on the DART team, uh, doing pretty much like global adversary investigations.
And, uh, we contributed a lot every year to the digital defense report. I'm a huge fan girl of it. I feel like every year it's getting bulkier and bulkier, though I'm not gonna lie, like the amount of data, but it's fun to see how trends, while trends are kind of the same, they also shift a bit, right?
Like we were more into misinformation campaigns and disinformation, which is talked about, but then you add in all the new things with ai, deep fakes, qr, phishing, a lot of the stuff that has come out. And so they'll spend more time, and I think they went from, what was it, 24 trillion signals a day to even an even bigger number, right? So when you talk about the data set, that's, that's the thing that I think is the most valuable. Every single device in, in a sense, every window system. Yeah.
Kind of a signal back to Microsoft, spooky. But, um, they do gather a lot of information and they take a lot of the investigative cases and pull them apart and actually use 'em for this report too. Mack, just real quick, dart, can you explain the acronym real quick for those that may not know? Yeah. So DART is the detection and response team. I believe they got rebranded as Microsoft does Best to just Microsoft Incident Response.
Um, but a lot of the, the, you know, OGs still use DART in their title. And there's also a new team at Microsoft as well that kind of supports both Mystic and dart, um, called Ghost. Um, so I have a lot of my former, uh, coworkers on the ghost team, which I can't tell you what that same global hunting something triage, I, it's all alphabet soup for a while for Me. Yeah, no doubt. All right, well, let me get into this Gar. Yeah. Um, it's been a few weeks. Welcome back.
Um, I always love this time to talk to you after you spend, um, time with troop here. Um, you had DattoCon, but um, wanted to get your side of, uh, your take, right? Um, after spending, you know, a week with, uh, both, you know, give or take 600 plus MSPs in the pure group, the winner circle your, you know, your more mature companies. Can you give us a sense of like two, give us both good and bad meaning. Yeah. You know, two sides of the coin. What, what excites you?
What are you optimistic about? What concerns you still as, you know, you look at, you know, again, a pretty big data set of MSPs. Yeah. And it's different. I, in fact, this was the longest business trip of my career. I've never been going from, for a week and a half, and the first half of it spent with like, familiar, I get to see everybody's numbers and in the peer groups mm-hmm. And then a wider set right at, uh, of probably more representative of the marketplace mm-hmm.
You know, with dataCon. And so I'll, I'll do business and security from a business standpoint. I think the business is just in general good for everybody. Like, I think everyone's feeling that s more SMBs are spending more money with MSPs. And so it's a, it's, I think it's the easiest market, like, to succeed. It's, it's hard to make a really bad mistake in it. Right?
Having said that, we're really seeing and security is leading the way, and, and I'm starting to see automation do the same thing where less mature MSPs, and that could be scale, but it could just be operationally like how they operate with their process and roles. Um, it, it is getting harder, right? They, they can't get customers that are knowledgeable and you have to have a certain level of operational maturity before you can have a level of security maturity.
And those same MSPs right now are first in line to mature, you know, in terms of their automation posture, which I think is probably be the most important thing over the next few years. And so, you know, I've heard some people say, well, if you don't keep up, you know, you're not gonna be able to be an MSPI, I don't agree with that. I just think you're gonna be left with the customers that the really good MSPs don't want. Mm-hmm. And that's an issue, right?
Because that's a lot of SMBs that need the same level of protection from a security standpoint. One overriding positive note is, I, I feel like the poverty level on security is slowly starting to rise. And, you know, things like I say, 365 endpoint and user have made an impact because everybody can get everything. So a lot of MSPs that didn't have MDR everywhere, they have it everywhere now, right? 'cause they, they can afford to. And so, um, hopefully that continues.
But I am, if you were ever gonna decide to, to be a more mature SP in a year, this is the year to do that. Yeah. And, uh, you know, if you, if you take a, a step back from what you just said, Gary, the reason I think it's never been a better time for MSPs, that they really are committed to process maturity investing and really improving, you know, their operations is you're seeing a tale of two economies, right?
You're seeing, you know, continued outsourcing as we get larger and larger and larger, which means there's more and more, you know, you're seeing this with the Thrives and VC threes and IT solutions where you sit on boards, the, the size of the deals. I mean, it's not uncommon for 30, $40,000 a month deals now, is it? No, not at all.
And now below that, we have so many MSPs, you know, that have between 10 and 50 employees that have matured like operationally, and they're offering a high level of support and, and security, you know, to that 30 to a hundred users. So I think those SMBs, it's when you get down below that, you know, and there's a lot of businesses, right? Between five and 25 and 30 employees, SMBs, there's still a lot of work to do there, and they're the most vulnerable. Yeah. Okay. Cool.
Phyllis, um, one last thing and then we'll get over to Mac in the report. Um, you've been on the road all month, which is very unlike you. Um, so welcome back. Thank you. You traveled both nationally and internationally. So anything, you know, as you talked about the controls and reasonableness, um, what we CIS has come out with, um, anything stand out to you over the past month in talking to organizations?
I mean, I think it's the, um, same that what we've heard on the cyber call is organizations number one want to know what's the least amount I can do and still, and still be okay. Um, and okay means, um, number one, I need to get cybersecurity insurance.
And number two, you know, we've been talking about reasonableness, which means, hey, um, if you have to, um, if you suffer a breach and you end up on the other end of a lawsuit, how is it that you can defend yourself in a court of law to show that you reasonably implemented a cybersecurity program? And so we've seen a lot, you Sound like Eric TILs now using the word defensibility. So, you know, we've seen a lot of, um, interest in this. Not only just nationally, but internationally.
You know, we went and spoke at an international standards body over in France, and they too, were very interested in it. They don't call it reasonableness. Um, in the, in the eu of course, um, what do they call it? It starts with API can't even remember. And we, um, but um, it was, it was good. And, um, you know, just like here, you know, I also gave a talk, um, at a big financial institution.
And what I thought was interesting there is they wanted to talk about the partnership they had, um, with the N-C-F-T-A. I won't go into it, but it's just like the collaboration was key, right? Mm-hmm. Even these big banks who you think are, and they are, you know, they have a lot of money, they're investing a lot in these big credit card companies, is the one story I'll focus on, is that they also have to collaborate so they can, um, you know, help each other defend against these threats.
An example was, you know, an ATM machine where they were losing millions and millions of dollars a day. And through a cross collaboration, you know, internationally across the banks and the, um, credit card companies, they, they got that down to 30 to 50 KA day. And so I really thought about this community. 'cause I think this is one of the best communities that knows how to really collaborate. And, you know, there's a lot of peer groups, you know, Gary has one and there's a bunch of others.
So, um, you know, I just wanna say I, you know, encourage the group to do that and, and keep on pushing forward, because regardless of how big you are, that collaboration is always valuable. Yeah, I say every MSP should be in a peer group, either ours or a lesser peer group. It's fine. Nice plug there. I like that. Oh my gosh, Gary. Yeah. Alright, can we jump in here with Mac? Yeah. So it's crazy.
You know, I, I, um, I, I was reading some, uh, some things, and this is not the question I had for you, but just what the global impact they were comparing the global impact of cyber crime financially with like, relative to GDP compared to like organized crime. Like back, you know, 80 years ago when it was significant and it is like dwarfs, right?
It dwarfs anything that we've seen, like the tax on this, it almost makes it hard to keep inflation down that that's what a big number it is relative to worldwide GDP. But the first thing I wanted to start in looking at the report was just in the US like almost 400 healthcare institutions were successfully hit with ransomware and closure, different attacks. And you know, historically this was like off limits for cyber criminals, right?
Like, we didn't see this, what's changing in either the ethics, the approach, what's changing that we see this? 'cause, you know, you see small changes every year in the report, but this one has been consistent. Well, I'm just shocked that a marketing strategy for moral compass, for a threat actor groups, uh, tend to supersede common sense. Um, I think, well, first and foremost, if we look at the landscape, it's not just targeted, but it's also opportunistic. And you'll see kind of a theme.
They talk about it in the report as well. And it's things that we've been talking about since for the past two years, is the entire syndication of the nefarious actors. Whether you have a PT groups, ransomware operators, nation state groups, just any sort of cyber crime gangs, they're starting to collaborate. As Phyllis says, we need to do more. They're doing really well. They're doing a lot more collaboration.
And it's starting to blur the lines a little bit, especially when it comes to attribution. So it is gonna be opportunistic in a way where just because they're saying they weren't, I, I, I mean, no one probably took that seriously. Um, you know, even with, I, I at least I like to think people didn't take it seriously. It's almost like you're negotiating with terrorists at that point. If they're saying that they're not gonna target healthcare.
And it also doesn't bring into question when you think about healthcare, um, as an industry and all of the individual fields that sit within it, it's not just hospitals that are getting hit. So one, you have this syndication where you have these cyber nation state groups and they have affiliate groups, which are gonna be ransomware as a service type of opportunities.
And so when we start to see these as a service models getting bigger and bigger, it allows the actual nation state groups to do what they want to do, which is, um, be disruptive. To be disruptive, especially when we look at cyber warfare as a whole, and then intelligence gathering. So this is a lot where you see even not just double extortion cases coming into play, but it's really espionage work that they wanna be able to lean on. Yeah.
Um, but as far as the vertical in itself, people think of healthcare and they immediately go to hospitals or smaller facilities. But Covid was a big wake up call because when we saw healthcare getting targeted at a mass level, it wasn't just hospitals, it was biomedical labs, it was pharmaceutical companies, it was cyber insurance. We just saw change healthcare this year get hit. Right?
And so to me, it's also pulling back a little bit and defining what the industry of healthcare is because a lot of different types of businesses, one, not just from intelligence gathering, but is just as disruptive. I mean, the change healthcare stuff is still, I'm sorry if you're hearing my noise from my phone, 'cause now I'm on my Mac, but, um, the change healthcare attack or data breach is still being talked about. It's still going through the court process. That Was me. I was texting you.
I know. Can you imagine? Like, please stop now. Um, so I I I like to think even though we saw major affiliate groups like lock bit get taken down, it doesn't necessarily mean that new ones aren't getting spun up. And I just did a full debriefing on Ransom Hub. This is a new group we've been tracking and a few cases that we've seen, but we track these as almost being like a ranking of where they're popular. You know, just like you see, oh, black Cats kind of taken a step back.
It doesn't necessarily mean that, it just means that they're changing their opportunities to work now with other affiliate groups to make it a lot easier. Yeah. They're not, when the, when a a ring breaks up, those members aren't retiring. No. They know. They know where the money's at. Yeah. They, so the moral compass side of, of why healthcare is still getting hit, I mean, it shouldn't shock anyone. Yeah. Especially from nation state. It's very disruptive.
Mac, would you say on your Mac, if you hit, uh, to focus, just go do not, if you just swipe down on your, your ma iMac or iPhone rather, uh, and you just hit, it'll say focus, just put, do not, I think it's do not disturb. Yes. So you kind of mentioned this right in, in your, in your answer back to the first question, uh, and I, but I wanted to drill down more into collaboration between nascent state threat actors and cyber criminals, right? Mm-hmm.
Which kind of like are acting like a force multiplier. And so can you talk about what that looks like and how that's evolved where it was kind of two separate things right? At, at one point and, and, and how that collaboration I is working? Well, I think it just is based on what their objectives are, right? So nation state is gonna be, uh, disruptive, intelligence gathering, espionage, that's kind of their forte.
Some of these cyber crime groups that are really, um, honestly becoming, uh, more flexible and more sophisticated tend to move more into the a PT space. And then you have good old fashioned cyber crime. And those, to me, the, what we're seeing is more, I just put myself in do not disturb. So I'm sorry if you guys keep hearing it. Um, so what we're seeing is, I think more on the innovative side. So again, you have these platforms.
Some of the things that we're tracking, which is like phishing as a service platforms where they can create custom crafted emails. They have great customer service and support, they have session theft capabilities built in. So we see a lot more tool innovation as well as the, as a service model.
So whether you're looking for initial access brokerages looking to purchase credentials online, or actually hiring ransomware as a service group, the blurriness starts to make this argument around attribution really difficult for us because it's plausible deniability, right? It's moving them out of the forefront. It's, it's changing, okay, what is the actual objective? And it's pushing everything to be about compensation and monetary value.
But even if we talk about things like double extortion, what type of other intelligence or data was gathered and what other trusted organizations are going to get hit because they have some sort of connection to the targeted organization at hand. And so I think the big thing too, when we saw what was going on in Ukraine, uh, what was this? 2022, it's not that long ago.
Um, right out of the gate, they developed the wiper malware, and that was ba basically acting like ransomware was doing the exact same thing once the adversary activated it. So that was extremely, they were targeting anything that was gonna be institutions or facilities that were supporting civilians. They launched over 200 cyber based attacks right out the gate. I mean this, we saw that destructive nature.
And we actually, at Microsoft, they actually went and put in an effort to support from an incident response side from, you know, along the way, remotely support, but support from an incident res response side to be able to just do business restoration and containment. And so I think we have a good idea of when we look at Ukraine that this is just gonna be an example that repeats itself. What are they gonna target? Why are they targeting?
And this is my big conversation that I push out honestly, all around verticalization and understanding the industries that are being covered. Because when you look at anything like cyber warfare and, um, what's gonna happen with it is, I would rather focus on the industries and specifically why that that vertical is gonna get targeted and what the impact is gonna be. So do you, you mentioned Ukraine, how that was really, uh, something that was a catalyst.
Are you seeing similar things like in the Middle East? Um, I, I don't want to make speculations of what we're seeing or anything. Um, as far as any sort of geopolitical events, the same thing that we've seen in Ukraine is gonna happen again, as far as targeting specific things that support civilian economies, support any sort of organizational, um, type of critical infrastructure. It's not just government, right? You know, we're talking about healthcare. It's not just healthcare even. Yeah.
It's looking at energy, it's looking at manufacturing. I mean, those are the, at the top of our list, we have industrials, which includes manufacturing, construction, anything that's gonna be considered supply chain. Then you go into technology that's definitely gonna be hitting hard on the supply chain and having ease of access to many organizations. And then you get down, and I think healthcare is like number five. It's right after that as far as ransomware targeted activity.
And when you look at ransomware targeted activity, to me that's a direct reflection of what's going on at a general cyber warfare because ransomware is disruptive and disruptive in nature. So it's taking down businesses that support civilians in these, um, locations.
Gary, just real quick to your point in, in the article page, I don't know, in the thirties, I think to your question, it actually has a great section on Ukraine, Israel, and, and there's no doubt your question is, is being answered that yes, they're being targeted and, and, and, and, um, and, and as Bob Miller put in there, water power with that you see an increase, um, in ot, um mm-hmm. Right? Which would, you know, go hand in hand with knocking out those types of systems, right?
Fill us that support, you know, the critical infrastructure. So Yeah. Yeah. So the next question, like, I, another thing I picked outta the report was that information technology, right? As a target was like 24% of attacks, Number one. Yeah. Red act number one. The number one by the way. Yeah. Yeah. 24%. Like that's a, that's crazy. Now again, as you said that that like, that encompasses a lot, you know, falls under that.
But specifically some things around being able to, you know, do more destruction through supply chain attacks and whatnot. Like, have we reached a point where not too many MSPs felt they need to, you know, really dive deep into adversarial emulation, but are we approaching that point based on the fact that it's such high value targets? I think we're approaching it. Absolutely.
Um, I think we've seen a lot of supply chain tax attacks in the past few years, and it really, you know, to be honest, I think SolarWinds kicked it off, um, right out of the gate of what type of level of impact has, when you have a targeted large type of technology platform that pretty much most of the federal government used, um, we're only gonna continue to see it.
I think you can see these patterns through, when you just look at the level of vulnerabilities that are getting hit and what threat actors are targeting as far as exploitation goes. They're targeting firewalls, they're targeting management systems, they're targeting things that allow them ease of access and automated, like elevation of privilege.
So I think that we're getting to the point where we, I don't know if we're necessarily talking about patch management anymore as being something that we should be doing, rather really doing inventory and holding vendors accountable, holding software accountable at that point. Because that's really the concerns on the supply chain side Is Targeting things that give you administrative control out of the gate. Yep.
And so that kind of leads to my next question around, um, you know, what we've seen, uh, Andrew gave me this note that Trend Micro saw an increase of 58% in terms of phishing. So like living off the land type things, getting to legitimate software, uh, for command and control. Like, you know, as much as we've seen that it, it, it has doubled down right over the past, you know, year. And so again, I think as MSPs, everyone needs to start thinking about this, right? A little bit differently.
Yeah, I think of phishing, like it doesn't surprise me that it's obviously it's gonna only grow in percentage, it's not going anywhere. And a lot of people kind of put it in the back of their mind as, oh, we have an email gateway and we have certain Microsoft protections, so everything's fine and external sender. And, and then we look at security awareness training, right? Like things that we really have drilled into people's brains of how to be aware for any sort of social engineering.
But the problem is, is the way they're doing this now, as far as what adversaries are gonna focus on is how do I create this semblance or sense of security?
So we saw this in a lot of these, um, really one, we see business email compromise attacks, where to get initial access, you simply just need to compromise one credential, whether you purchase it on dark web, and you don't need to make any noise internally in the environment and then go from there, as well as leveraging things like AI to make it, uh, to, to make the crafted emails, the linguistics of it feel more believable, right?
So we're still, we still have the concept of urgency and, and, and we're starting to blur it, so everything feels more legitimate. But what scares me is these services that also get used, so they're, they're installing their own VPN services, they're leveraging their own, uh, hosted cloud infrastructure. They're putting up things like cloud flare, um, are you human basically authentication side. They're pulling in very realistic Microsoft M 365 portals that you log into, right?
The report talks about this all the time, and that's been going on for a while, but they're doing it in a layered effect. So the end user's like, Ooh, I don't know if, oh s**t, I clicked, sorry, I clicked an attachment. That was bad. I shouldn't have done that. But then all of a sudden they're getting redirected through infrastructure that feels like, well, their IT team put that together. So this must just be a normal security control. And that's that sense of security that they're banking on.
So they've improved the linguistic side, they've improved the approach. We all know MFA bypass session theft to those that are even using it is plausible and easy. And then the last layer is like, how do you monitor for compromise at that point? Um, because phishing is going to absolutely get through when they're not, um, when they're just, you know, praying sprain and praying type of approach.
But it's More, yeah, I just read something last week about how good even get out getting out of email, even just some voice command things. Yeah. Like, like, like some voice deep fakes, uh, you know, thinking the CFO was talking to the president, like of the company. Um, it, it's even going beyond what you're saying. And those layers are kind of what we depended on. Like, you know, I'm, I'm used to never clicking on a link, always going to the site.
But now that doesn't ensure security is what you're saying any longer. Nope, nope. It's, um, it's, it's definitely terrifying. And, uh, the big one that concerns me, um, the most, and, you know, we kind of got talked about a little bit on the MGM stuff, but I was glad that, um, the MDDR brought it up was also impersonation of help desk. And what we saw, there was a, a recent ransom hub event too that came out where the CFO contacted and got their password changed to help desk.
So it's also this outsourcing thing you're talking about too, of how do we verify the user, you know, how do you actually, if you've been able to, to impersonate to an extent everything about this user, then we're not just asking for, Hey, can you deposit, you know, a hundred grand through this wire, uh, transfer? And that seems normal, but changing a password seems probably more normal than an anomaly of a wire transfer.
And so they're able to create that persistence by not just masquerading as the user, but now being able to actually do account takeover to its fullest extent. Yeah. So I mean, and again, when you think about MSPs and the role they play, you know, a lot of that responsibility right, is, is falling on them. And it's one thing when you're putting it in and you're the help desk for a thousand user company.
It's another thing if you're the help desk for a thousand users as an MSP that are in fif 40 different companies. Yeah. That I don't have any advice there. I'm sorry that that terrifies me though. Like I know that's, we're not trying to curate the theme of this is fud, but absolutely that, yeah, those are the, those are the trends that scare me the most because you need that, right? Operationally, you need that for your business, you need to put that in place.
But if you're managing many organizations, you can't rely on that one help desk person to even understand who this end user is. And someone, senior Los Gatos, I'm sure that's your real name. Um, so it's, you know, secret code word, like how do you get around verifying identities?
Because what I found interesting in the report is, um, what was the percentage, um, OI can't remember what the percentage was, uh, but that slowly, the reliability of biometric data is going out because of DeepFakes, right? Like things that we learn about in security 1 0 1 of, you know, options for two FA and secured au authentication and authorization. Like some of those are just going off the window.
I personally think this is why we're moving towards, like password list is getting pushed harder. Um, being able to have like hardware tokens that actually give grant you access. Like, these are the things that come up a lot more in conversations because we're having more difficulty verifying the identities from a scalability point of view. Yeah. I make my team, uh, write me a note in crayon that in a color that only we have. So yeah.
Old school, I'm going back to the old school way of verifying. So with that, Phyllis, I'm gonna hand it over to you. Yeah, sure. It's great to see you, Mackenzie. Well, always Good to see you, Nicholas. Um, you know, you're talking about the DeepFakes. Uh, just as a side note, I actually, um, meet with someone regular regularly from a big financial institution. And they hired someone. I mean, it wasn't, I mean, it, it's similar but different. It wasn't like a deep fake per se.
I mean, it kind of was, yeah, the woman really existed. The person was actually like, that person was in the us but it turned out because of, you know, remote work and because of how everything is done remotely, that individual ended up having five jobs and not performing at any of them. Luckily, the person who I meet with, um, they caught that person on a recording because it was like a video call, you know, would only show the lower half of the face, all this kind of stuff.
But I mean, the saga continues, but it just re brings home the fact that, you know, the convenience of remote work and the fact that we're all doing everything remotely, telehealth school at times, all these things. We put in these things for convenience or out of necessity, but then it's kind of like biting us where now you are doing interviews over a Zoom call.
I, I'm, I have two other zooms up right now for two other jobs I have There is collecting taxes Legitimate, because I feel really bad for how they're gonna do their taxes next year if they even, they probably don't do their taxes, Right? That's a whole lot to fill out at that point. All right, let me move on. So, um, we're talking about phishing and someone, someone already mentioned, I could think, you know, the same person, Senator Los Galo about, um, using QR codes.
And so the report talks about 25% of phishing, um, attacks are using QR codes, which is a big rise. Mm-hmm. Um, and of course, folks are getting redirected to fake websites, um, resulting in adversary in the middle attacks and token harvesting. So, um, give us your thoughts on why the uptick, why are these things being so successful? I, I mean, I think they're successful. 'cause the, the goal in many of this case, right? We already talked about establishing some sense of security.
We've already established culturally that scanning for your menu is considered normal. So we scan QR codes sadly, every single day. I mean, we're scared to even use them in some of our marketing, to be honest. 'cause we know MSP's a QR codes, right? Um, 'cause we're like, don't scan it, but also scan here to win this raffle. Um, so I, I think really the biggest thing is they're successful because you're hiding the destination from the user.
So they're going to websites that are practically copy and paste. Um, I just spoke to a partner, a really good one. Uh, they're all good, but I spoke to a really good friend of, that's a partner last week at dacon. And, um, he was mentioning some of the, they actually completely copy and pasted their entire website outside of the pictures of the executive members were changed and the location, it was copy and paste replicated and normal. Mm-hmm.
And so when you see that, that's when you start to, that's terrifying, right? For an MSP, you start to get into this adversary in the middle because they're hiding that destination from the user. The user has no idea. And so for me, I see an uptick in it because it is successful, it works. They're, they're able to obfuscate in a way that that seems legitimate. They're able to do a lot of SEO poisoning as well.
It's not hard to spin up infrastructure to create a website and everything's public, so it's really not hard to emulate it at that point. Right. Um, so I, I think the uptick is culturally, we've just gotten really used to doing certain things. We've gotten used to navigating the internet when we're looking for something, we're not going directly to a link we trust. We're just gonna go straight into Google and type in, you know, uh, it networks msp.
com or into Google and just click the first thing that's at the sponsored page. And so I, I think it's successful because we've gotten so comfortable in the way that we interact with technology, let alone scanning for ordering appetizers. So, Right. Yeah. And, and you bring up a good point, McKenzie, just the last thing you said, you see that, like, I'll give you a great example. I have Arlo cameras.
I dunno if you guys know, you know, the security cameras and if you type in like, and this, this is done a lot. If you type in Arlo support customer service number, it's a spoof that comes up always first. And so, and you have to be like, so the, it's just a, you know, to your point, whether it's the example you just gave QR codes, et cetera, um, people seem to, it's, it's convenience, right? That, that people just trust that that's must, must be okay. Well, and the TR trust. Yeah.
And I feel like it's a, it's now a transfer of business risk because you, as the business owner, you have to do your own due diligence to monitor what is going on on the internet when you type in your name and to look for those spoof domains or hire someone to help you do all of those. But you're almost doing osint on yourself, you know? Mm-hmm. And Phyllis, you had mentioned too, on the person having multiple jobs.
I mean, we've actually seen, um, urgency coming from our talent acquisition because we're, whether you're leveraging LinkedIn or any other contract finding, doing the recruitment process in a remote workforce is also a problem because the botnets are out there and they've only increased. And so we've seen a significant amount of a applicants who also leverage AI to bypass some of the models to meet all the key words for all the jobs specs, right?
And so we've, we've, it's interesting to see what adversaries are doing just from a social engineering side that have blended into the way we do things. Yeah. So my friend who works for that big financial company, she contacted hr. HR was like, okay, you're not the only one who's been, I mean, you know, it's like prevalent throughout the organization. She just happened to be fortunate enough to catch someone on a recording. Um, you know, but yeah.
And who knows what the other incidents are, you know, if they're deep fakes or, or, or whatever. Um, so anyway, so we also talked about, um, BEC business email compromise, um, which of course is still a prevalent threat, um, followed by some inbox rule manipulation. And now there's, um, a new twist with that. And so instead of using the usual like new inbox rule or c inbox rule com set, inbox, inbox rule commands, they're now using update inbox rules, which it's like, everything just evolves.
It's so clever. So, um, so now they can redirect emails with keywords related to credentials or financials and then send those to, um, less monitored folders like your spam or history, so on and so forth. And so, you know, as we talked about MSPs, a lot of them are providing these kinds of services for their clients, right? So what is it that an MSP can do to help mitigate and against these types of threats? Uh, well, um, one, staying informed and knowing about these threats, right?
Because this, this should actually move into, um, awareness training and user training a little bit. Um, it's not gonna make the huge impact that we would hope. I also think it's, it's building out an identity program that is best practice program. We still are seeing a lot of people not MF, MFA. And so I'm tired of speaking about MFA bypass or evasion techniques or token theft when I'm like, well, you're not even doing it.
So if you don't have it, you're probably also not doing conditional access policies. You're probably not creating this verification process or using strong authentication technologies. Like you're, you probably still have legacy auth protocols, right? These are all the things that we need to just be more aware of from a identity program, right? You can't just assume that the end user's gonna figure it out.
And this is where we move into the monitoring, and this isn't plugging MDR at all, but it truly is, these are the things that we look for from a cloud response side. We can see when new inbox rules are created. So in the past, and from an IR perspective, we'd see the really traditional inbox rule creation where they are, you know, forwarding certain emails to, uh, RSS feed folders or folders not gonna be seen. They're deleting specific emails.
Um, that's any of these, um, in, in the middle conversations, um, like you said, looking for change password. We saw a lot where they'd actually do inbox rules where anything that was cybersecurity security related coming from specific people on the security team or the IT team, they would actually make sure those emails were moved that way they could be triggered if something was happening, but the end user wouldn't be.
Um, and so I feel like they're, they're kind of transitioning to basically make it more difficult to track those inbox rules. And this is the only thing that I can say that comes in handy is having monitoring in place, the scariest stat that we've pulled from the past year is 25% of our newly onboarded customers have an active BEC. So we can know which ones are the compromised users.
They take a little bit more hunting from a triage perspective 'cause you gotta look at their communications and what's going on. But we see a lot of the, almost like email stomping where they're deleting a lot of this information that we now need to do some sort of forensic poll on it to understand, okay, how did you get compromised in the first place? Um, so we're seeing, I don't, I, I think we're gonna keep seeing an uptick in BEC.
Our cloud cases are 10 to one when it comes to what we're looking at on a regular basis in the soc. And our cloud cases also technically have larger response times than OnPrem attacks. They take a little bit more investigative and digging that needs to happen. That's a very high percentage, 25%. That's terrifying. That's crazy. Yeah. And it's a lot, kinda what Gary was talking about too. Sometimes it's the smaller organizations right? That coming in that have been hit for a while. Right?
I, so I just Was having that, I was having that conversation, uh, at DA Ocon with, you know, with Jim Lippy and still, you know, with alerts there, there's still evangelization, right? That people should have cloud detect and response when, as we're saying, so, you know, disproportionate amount of the attacks are there. Mm-hmm. Yeah, definitely. I mean, I mean, you know, you see it in the big banks looking at the small, at, at the supply chain.
So the, so, you know, and that's how the adversary's getting in right through the supply chain, the smaller, the smaller, um, organizations that are providing services to these big banks. Yeah. Um, so we talked about MFA and you talked about how, um, really the adversaries is, is doing a good job of building that trust and getting into, you know, the adversary in the middle, these attacks and, um, really inserting themselves to get credentials, um, and so on.
So can you just tell us or walk us through how lack of MFA, um, can be used to create persistence in M 365 attacks? Yeah. Yeah. So I mean, if an organization isn't using MFA, they're likely not using anything like conditional access that establishes what is considered a little bit of normal behavior and gives some semblance of detection in place. So they're already way back behind the starting line of where they need to be. Mm-hmm.
Um, you know, if a threat actor is able to luckily land upon a target that doesn't have these identity controls in place and they're managed to authenticate, they're now gonna do enough enumeration to look for the users that are gonna be most valuable. If they can hit an admin and shared password, that's obviously gonna be the goal. It's gonna be easy. But we see a lot of threat actors, 'cause now they're pivoting into lateral movements.
So they're gonna do things like actually look at the users you have. They may target guest accounts, they may target contractors, other IT admins, of course, not just for the level of privilege, but because it's considered very normal. And then we see a lot of creation of, um, new accounts as well. And this allows them to ca maintain the foothold in the environment.
And the biggest thing that's actually terrifying to me is, um, moving past MFA, once they're able to take over these accounts, gain elevated privilege, they're gonna start removing permissions from other users. And this is where you see things like privilege creep come into play because they're gonna target certain users. They may go back and actually do lease privilege for the rest of your users and make sure no one else has access. Um, they're gonna gain also a leverage.
We're, we're living in a SaaS world now, unfortunately. And so if, if you look past even having MFA, um, conditional access, they're gonna mask themselves behind normal applications that have also that privilege creep. Mm-hmm. They all have the global admin capability to be able to now hide themselves behind, behind an app. So I think the, the difficult thing here is that, um, you, if you don't have MFA, I really hope everyone on this call has Mfa.
I was gonna, I was, I was about to, let's do a survey and you know, I know I was about to ask like, who here has any customers that are not enabling MF MFA, right? So Gary just, you know, Gary started off the call with, Hey, if you're not doing cyber now, this is the year. We know some of you aren't. So, you know, Gary, um, when you, when you in your peer group and you foot sto pay, you must have cybersecurity.
Do you still have those organizations who are like, well, I'm almost there, but I see my clients who, who aren't going to implement some Yeah, I don't have to ask 'em. All I have to do is look at their average seat price to know that they've a bunch of customers that can't be paying them enough to be able to do these things, period. Like you can't do 'em at it if you're losing money.
So unless you have a commercial model that allows you to put the right tools in place, and again, luckily some of these tool costs now are coming down dramatically, but unless you can afford to do that and then build, you know, the policies, uh, around it, you, you can have good intentions, but Phyllis, I I, I don't even have to do a survey. I can just look at what they're charging on average and what kind of old customers they're dragging behind them.
And they always say, well, my customers won't pay for that. Like, it's the customer's fault. Yeah. Or like, the associated cost is gonna be that much higher than, uh, than the cost of a breach. Right. I, I like how you said the customers, they're dragging these customers behind them. I really like that because it is a drag, right? A hundred percent. It is.
And and the frustrating part is the once you can see the light and change your conversation with those customers, almost all of them will invest more. Like if you take a cohort of customers that fall into that category, even if you were to lose some of them, the overall recurring revenue, even with less customers, goes up a hundred percent of the time. A hundred percent. So, wow. That's the hard part. It doesn't have to be that way, but that's the risk that we're pulling behind us, Phyllis.
Yeah, that's awesome. I mean, I, I think that's a great lesson that even if you lose customers, but if you retain and gain those customers that are willing to pay you still, you really are going to make up that difference and maybe even make more. Mm-hmm. We call it the long tail. Very good. Those Customers, you heard it here, Gary Pika. Okay, so, oh, was someone about to say, so, um, so we were just talking about like kind of deep fakes, shallow fakes, AI based attacks.
Um, so at its most basic, a threat actor could use shallow fakes and email and text messages to convince coworkers that a superior or a colleague needs them to take an action. Kind of mentioned this before about, um, A CFO or a CEO asking for, um, money or whatever. And so what are your thoughts on the sophistication we'll see on the horizon, which will require defenders to implement changes which include that identity verification?
Like, like maybe when you're hiring somebody or someone's asking you to put out money for a transaction, Right. Uh, you know, I think it's go, it sounds so, I know I'm probably gonna get totally told this, but I think it goes back to going back to basics. How do you verify someone's identity? Mm-hmm. And just with the deep fakes, you know, as mentioned before, they're, they're finding biometric data like way less reliable to be able to be used. So that's one aspect of it.
Um, obviously there's gonna be, um, a voice mimicking, so that's being leveraged a lot more. And someone had mentioned somewhere earlier in this, um, Katz, I think it was you, but it was, uh, it was on, going back to secret words, it's going back to something that is considered standard, right? For ver, I don't know where we go for this as far as how do you verify an identity, you Know, back, back in the day we'd be like, how do you know it's something you have something, you know? Yeah, right.
It's kind of like back to that, right? Like what's only something Mackenzie has? What's only something Mackenzie knows and then that's how you used to valid, you know, that's kind of old school Mackenzie's mother's maiden name. If You're doing, um, a anyone could definitely, I, I don't wanna leave it up, but anyway, definitely impersonate me for my face and my voice being out there the way it is.
But, um, it's, it terrifies me, honestly, it scares me a lot that this is the point where we're at because at what point do you have any other, if you can impersonate a person from a deep fake level, but now you're putting on, if they were able to do enough compromise, they can compromise your, um, location, they could compromise as far as you mimicking your geolocation, mimicking the browser you would use, typically maybe mimicking your actual, you know, outside of looking at user agent stream, do we want help desk to do that anytime they get a call form the CFO that's asking for assistance.
So verifying the identities, I, I think we're gonna start moving past like just technologies that would support with that, but focusing on how do you work with your soc, how do you give capabilities that your SOC has as far as visibility goes to a help desk person. That also terrifies you though, because now you don't want someone in help desk to have the same level of admin level privileges that someone in your SOC would have, right?
So I feel like we're kind of on this catch 22 point where, you know, the deep fake stuff. Honestly, if you're getting deep faked and it's going to this your next best chances in ensuring you can monitor for lateral movement, if that, you know, I don't know what to tell you if you, you transactions should be totally, the fact that people can do becs are successful on transferring millions of dollars just because you've managed to hijack an account. To me that's crazy. Um, but that's very normal.
It's been going on for a very long 10 years plus. But if you are, if, if you don't have monitoring looking for activities that are considered anomalous of these accounts, once they're taken over, which is gonna be that lateral movement, it's gonna be that internal phishing things that we know are about to happen, then that's, it's less about verifying and the identity and it's more about identifying anomalous behavior of that identity.
It's why I've developed the first internet cloak of invisibility Just with the push of one button. Oh My gosh, that's the perfect Monday voiceover. I Love it. Yeah. So I'm working on that. That's, that's Gary's Halloween voice. That's awesome. Yeah. Alright, back over to you Andrew. Yeah, so, um, we got a few minutes left here.
Mac, you know, the, I recommend, you know, um, MSPs really just go right to the, you know, obviously read the whole report, but the social engineering, um, and identity section is, is really the heart and soul. I mean, if you look at what the attacks MSPs are dealing with, and then within that Mac, the stat, which is you, you know, I, I sit there, I had to read it over and over and over. But out of identity and social engineering tax, listen to this, 90 over 99% are password related.
Yeah, That's, that's a lot. Um, that's almost a hundred percent Gary, In case, in case he forgot what number comes after 99. Yeah, exactly. You can Lead a horse to water, but you can't make it get a more complex password. Like it's just So, you know, we've heard all sorts of recommendations right? From d from NIST has their guidelines on passwords, this and that.
But talk to us like, you know, we, it used to be you should do password rotation, but what we found now is that complexity and really complex, or as John Strand loves past phrases. Yes. Why, why is that the route to go like, get something really complex, leave it alone? I mean, you're, you're getting around all of the traditional like brute force techniques, right? That they're gonna be looking for the most obvious ones.
And the, the level, and I'm not even talking about like a dictionary attack, but the level of things that passwords of people that they use make it less difficult, um, to be able to crack. So, you know, I, I feel like this is also, I used to not recommend password vaults because we're like, oh, what if they get the password to your password vault? It's like, well that should be the most complex of them all.
We can't solve the end user problem where they're using more complex passwords unless you've put it in your settings that they actually have to do it. Um, and, uh, which you can do that. Uh, but also as far as the password vault goes, password reuse is a huge issue as well, right?
You can compromise an account or there's a data leak somewhere and there's a likelihood that that end user, you can figure out there are other aliases that could be leveraged for that account and we're all guilty of it. Um, and, you know, we focus more so like, don't write your password on a post-it note, but it's, it should be passphrases, it should be complexity standards meets what Microsoft recommends, which is the passwordless approach meets having two fa, right?
Meaning having, um, your admins, your devs, I mean, consider doing hardware tokens or hardware authentication based at this point. Some UV keys, throw them out. Um, because you know, password vaults, you should have a corporate level, whether it's password one or it's LastPass or whatever you choose to decide. But these are the things that were developed for end users who can't seem to get around the concept of, um, weak passwords. Um, and it happens today.
So you're saying service one is not a good password? No, it's a terrible one. Anything like passphrases are great, but man, I mean people don't even know how to do just, if you're gonna make, if you're gonna do password re use, and this isn't me saying you should do password reuse, memorize the most complex password of your life and just use it. 'cause rotation is not really gonna help that much at that point. I mean, people have a habit, they're just gonna do the same. Yes.
Creation standard, NIST updated their password policy to say, you know, eight character password. That's truly random, right? So they've done, you know, it's like an eight PA eight eight character password machine generated that's truly random and keep it for a year, right? Because, you know, when I was at the NSA, we did the studies and it was like, because the, the password policy started going crazy.
And so it was just kind of like, you know, hey the stu you know, they did an analysis, the research arm, um, of the NSA did an analysis and it was like if you require a 16 character password or a 10 character password studies show that the entropy goes down, right? Because people have to start reusing words and numbers. It's kind of like, here's my standard password plus like 10 numbers afterwards. Yeah. Yeah. I see people mentioning keeper. Keeper is great.
Um, definitely something we're looking And, and you know, I know we're at the top of the hour here, but a few things Derek, good for you for insisting on password managers and things, you know, just a few things which I've seen, you know, make sure, you know, you go have 'em go into settings or, or, or you know, that, that it times out after five minutes. 'cause you know, again, you know, if you have your password managers open all the time, that's not a good thing.
And, and obviously with, um, you know, you know, I I think we're gonna see greater, hopefully greater browser security, like the outta commas out of the world out there where you can't store passwords in your browser, right? Because again, those types of things are with info Steelers. Um, anyway, Mac, awesome. Really, really, yes. Great having you back and talking about this as always. You did fantastic. Phyllis, welcome back after a month. Uh, I hope you're around now, uh, for the holidays.
And Gary, are you as well? Um, you, you don't wanna go on a two week business trip next, you know, and try and surpass it? No, I think at one point I was gone along, I called my wife and she was like, what are you doing? Like, come home. You just really love the airport food, right?
Like that's, I I'm like, but I really want these Real, I'm, listen, I traveled all over the world building true methods, but like, I fly in, I line my stuff up, I do what I gotta do, and I'm back on that flight heading home. Yeah. This just happens to be where they were so close together, but it's just, I, I don't like to be away that long. Yeah. Yeah. Well, at least the good news, Gary, is she says, come home. You know, could, could be or the otherwise, right?
So yeah, exactly That, that's a good thing. All right, everybody have an awesome week. If you're at IT Nation, stop by and see us. We'll, we will be there and, um, have an awesome week. We'll see you next Monday. Oh, no wait, Gary, isn't next Monday a holiday? It is. Okay. Oh, okay. So we'll see you in two Mondays. In two Mondays. In Two Mondays. So take care, everyone have a.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois