Microsoft: Evolving Cyber Attacks on the Supply Chain

Cybercriminals are evolving their methods beyond traditional firewall breaches, now targeting identity systems and exploiting interconnected supply chains to disrupt global trade and logistics.

A report from Microsoft details a changing threat landscape where one vulnerable partner can create a domino effect, compromising an entire network of businesses.

This is particularly concerning for sectors reliant on tightly integrated digital systems such as manufacturing and logistics.

The Microsoft Digital Defense Report highlights a key trend where attackers leverage third-party relationships to infiltrate more secure organisations.

Malicious actors are increasingly focused on abusing identity systems and using stolen data for financial profit rather than espionage.

Human-operated ransomware continues to be a primary method for gaining initial access, allowing criminals to inflict widespread damage on both suppliers and customers.

The financial motivation behind cyber attacks

Microsoft observes that attackers are moving from broad phishing campaigns towards more targeted social engineering and identity-based attacks.

According to Amy Hogan-Burney, Corporate Vice President, Customer Security & Trust at Microsoft, financial gain is the principal motivation for the majority of these incidents.

"In 80% of the cyber incidents Microsoft’s security teams investigated last year," Amy explains, "attackers sought to steal data – a trend motivated more by financial gain than intelligence gathering."

This focus on profit is reshaping the threat landscape.

Amy adds that “over half of cyber attacks with known motives were motivated by extortion or ransomware".

"That’s at least 52% of incidents fuelled by financial gain while attacks focused solely on espionage made up just 4%,” she adds.

While nation-state threats persist, the immediate danger for most organisations comes from opportunistic criminals seeking financial returns.

Amy says: “Nation-state threats remain a serious and persistent threat, but most of the immediate attacks organisations face today come from opportunistic criminals looking to make a profit.”

Supply chain vulnerabilities and interconnected risk

The reliance of global trade on digital systems at every stage, from port logistics to inventory control, creates a vast attack surface.

A case study in the Microsoft report illustrates this vulnerability: a ransomware attack on a global shipping company in February 2025 was contained within 14 minutes.

However, the potential consequences were severe.

“Had the company’s systems been taken offline for even a few hours, the cascading effect would have impacted trade and industry around the world,” the report states. This incident highlights what Microsoft describes as the “risk of our interconnected world".

The report notes: “Supply chains, both physical and digital, increase our attack surface.”

Transportation is now one of the top 10 sectors most affected by ransomware. Other logistics-related industries, such as retail, wholesale and distribution, show even greater exposure.

Microsoft attributes this to attackers deliberately targeting value chains. “Sophisticated threat actors are also targeting supply chains and trusted third-party relationships,” it adds.

“By compromising a less secure partner or vendor… attackers could potentially impact more hardened targets in multistage attacks.”

State-sponsored threats and the call for resilience

While financially motivated crime is common, sustained efforts by state-aligned groups present a different challenge.

These actors often seek long-term access to strategic infrastructure.

The report reveals: “In the last year, three Iranian actors targeted shipping and logistics operations across Europe and the Persian Gulf,” intending to gain persistent access to extract operational data.

Attackers are also increasingly exploiting cloud infrastructure for command and control.

To counter these threats, Microsoft argues that organisations must treat cybersecurity as a fundamental business priority.

“In this environment, organisational leaders must treat cybersecurity as a core strategic priority – not just an IT issue – and build resilience into their technology and operations from the ground up,” Amy says.

The scale of the threat is immense, with Microsoft processing over 100 trillion security signals daily.

Technological advances have also lowered the barrier to entry for cybercriminals. Amy highlights how accessible tools have enabled wider operations.

“Advances in automation and readily available off-the-shelf tools have enabled cybercriminals – even those with limited technical expertise – to expand their operations considerably,” she explains.

“The use of AI has further added to this trend with cybercriminals accelerating malware development and creating more realistic synthetic content, enhancing the efficiency of activities such as phishing and ransomware attacks.”

In response, Microsoft advocates for stronger identity controls, proactive exposure management and greater supply chain transparency through measures like software bills of materials (SBOMs) and harmonised regulatory standards to bolster collective defence.