In late February 2020, Alex Weinert, Microsoft's Director of Identity Security, delivered a presentation a the RSA 2020 security conference in San Francisco. In his presentation he detailed that 99.9% of Microsoft enterprise accounts that get invaded by attackers didn't use multi-factor authentication (MFA). He also noted that only 11% of overall Microsoft enterprise accounts had MFA enabled.
According to Microsoft an average of 0.5% of all accounts are breached every month. In January of 2020 that amounts to over 1.2 million accounts breached a month. The breaches can be attributed to two factors.
Not using MFA to protect accounts
Poor password hygiene - specifically the use of extremely simple passwords or reusing passwords across multiple accounts.
Microsoft further reported that 40% of the total compromised accounts in January 2020 had fallen victim to password spraying. This amounts to over 480,000 accounts. Password spraying is an automated method where attackers test some of the most commonly used passwords to see if they work for breaking into large numbers of other accounts.
Another method used for about 40% of compromised accounts is replay attack. In these cases, ne'er-do-wells leverage lists of credentials spilled in data incidents and try out the same login combinations at other services.
You may be wondering what the easiest fixes are to securing your Microsoft accounts? Choosing unique passwords and enabling MFA (also commonly known as 2 Factor Authentication) are the go-to ways and can greatly reduce the risk of accounts being hacked.
Find more information about MFA here.