Microsoft Security Intelligence refers to the threat intelligence infrastructure Microsoft operates at a scale no other commercial entity approaches: 100 trillion security signals processed daily across Windows, Azure, Microsoft 365, and cloud services — generating the threat detection data behind Microsoft Defender, Sentinel, and the Microsoft Digital Defense Report (MDDR). The MDDR 2025 quantifies what that signal volume produces: 4.5 million new malware attempts blocked daily, 38 million identity risk detections analyzed daily, 5 billion emails scanned for malware and phishing every day. The intelligence synthesized from these signals has produced findings that directly contradict the popular narrative of cybersecurity as primarily a nation-state espionage problem — the MDDR 2025 documents that 52% of cyberattacks with identified motivations are driven by extortion and ransomware, espionage accounts for only 4% of attacks, and 80% of incidents involved data theft attempts. Microsoft Security Intelligence is operationalized for enterprise security teams through two primary channels: the Microsoft Threat Intelligence Center (MSTIC), which tracks 300+ distinct threat actor groups and informs Microsoft’s security products with adversary-level intelligence, and Microsoft Defender Threat Intelligence (MDTI), the analyst-facing platform that makes MSTIC’s research and Microsoft’s internet infrastructure data available for threat hunting, incident response, and IOC analysis — a platform that Microsoft announced in early 2026 will be retired as a standalone product on August 1, 2026 and merged into Microsoft Defender XDR and Microsoft Sentinel.
- Microsoft processes 100 trillion security signals daily across Windows, Azure, and Microsoft 365 — the data foundation for all Microsoft threat intelligence
- MDDR 2025: 52% of attacks driven by extortion/ransomware; espionage only 4%; 80% of incidents involved data theft; MFA blocks 99%+ of identity attacks
- MSTIC tracks 300+ threat actor groups; Forest Blizzard (Russia) and Sapphire Sleet (North Korea) among active actors documented in 2025
- Microsoft Defender Threat Intelligence (MDTI): retiring August 1, 2026 — capabilities merging into Microsoft Defender XDR and Microsoft Sentinel
- Microsoft Digital Defense Report published since 2005: 12,000+ pages of insights across 20 years of annual threat landscape reporting
Microsoft Security Intelligence at Scale: MSTIC, Signal Volume, and the 2025 Digital Defense Report
MSTIC and the Microsoft Threat Intelligence Ecosystem
The Microsoft Threat Intelligence Center (MSTIC) is the internal research team that synthesizes Microsoft’s telemetry scale into adversary intelligence: tracking 300+ named threat actor groups, naming threat actors using a weather-themed taxonomy (Blizzard for Russia-linked actors, Typhoon for China-linked, Sleet for North Korea, Sandstorm for Iran), and producing the threat actor profiles and technique analyses that feed into Microsoft’s security products and the public threat intelligence blog. MSTIC’s intelligence advantage comes directly from the unique data sources only Microsoft can access — Windows endpoint telemetry from billions of devices, Azure threat detection across Microsoft’s hyperscale cloud, Microsoft 365 email and identity signals, and the passive DNS, WHOIS, and internet scanning infrastructure that Microsoft acquired through RiskIQ in 2022. The Bloomberg profile of MSTIC from May 2025 documented the unit’s internal structure and the scale of Microsoft’s investment in adversary intelligence research. The 2025 threat actors MSTIC has documented publicly include Forest Blizzard (Russian military intelligence, GRU Unit 26165), which exploits vulnerable SOHO routers to build covert attack infrastructure that hides among legitimate compromised devices for espionage operations against NATO countries; Sapphire Sleet (North Korea), which runs sophisticated macOS intrusion campaigns using social engineering to bypass macOS security controls; and Iranian-linked actors targeting logistics infrastructure in Europe and the Persian Gulf. The Microsoft Digital Defense Report, published annually since 2005 and now representing 12,000+ pages of accumulated security intelligence, synthesizes MSTIC’s research, Microsoft’s telemetry data, and frontline incident response findings into a threat landscape document that CISOs use for annual security strategy planning. The Microsoft Digital Defense Report archive provides access to the full 2025 report and historical reports back to 2008, with the 2025 CISO Executive Summary as the most concise entry point for security leadership briefings.
MDDR 2025: Key Findings on Attack Motivations, Scale, and Identity Threats
The Microsoft Digital Defense Report 2025’s most operationally significant findings concern the distribution of attack motivations and the effectiveness of specific defensive controls — data that directly challenges how security budgets are allocated. 52% of cyberattacks with identified motivations are extortion and ransomware-driven — financially motivated crime, not nation-state espionage, is the dominant threat vector for most organizations. The nation-state espionage framing that dominates media coverage corresponds to only 4% of the attacks Microsoft observed. 80% of incidents across Microsoft’s observed environment involved data theft attempts, making data protection and DLP controls (not just perimeter defenses) the primary control category that needs investment. The most significant single finding may be the identity protection statistic: multi-factor authentication — specifically phishing-resistant MFA — blocks over 99% of identity-based attacks, which combined with the MDDR 2025 scale data (38 million identity risk detections analyzed daily) indicates that identity compromise is the primary attack vector and that the defensive control with the highest single-point ROI is MFA deployment. The nation-state threat section documents that China’s cyber operations are expanding beyond traditional targets to include NGOs and commercial sectors using access through vulnerable network devices; Russia is extending cyber operations beyond Ukraine to target small businesses in NATO countries as entry points into larger supply chains; North Korea’s operations combine espionage and financial crime, with IT workers abroad remitting earnings to support regime-sanctioned operations. Microsoft’s position processing 100 trillion security signals daily means the MDDR represents the broadest single-source threat intelligence dataset available for enterprise security planning — larger than any individual ISAC, commercial threat intelligence provider, or government sharing program by orders of magnitude.
Microsoft Defender Threat Intelligence: Platform Features and 2026 Convergence into Defender XDR
MDTI Features: Threat Actor Profiles, Infrastructure Analysis, and IOC Enrichment
Microsoft Defender Threat Intelligence (MDTI) is the analyst-facing platform that makes MSTIC’s research and Microsoft’s internet data infrastructure accessible to enterprise security teams for threat hunting, incident response, triage, and vulnerability management workflows. MDTI aggregates data sources that analysts previously accessed separately: passive DNS resolution history, WHOIS data, SSL certificate analysis, subdomain enumeration, detonation analysis results from URL and file execution, and threat infrastructure data collected from Microsoft’s continuous internet scanning. The platform’s Intel Explorer provides a unified search interface across these data sources, allowing analysts to pivot from a suspicious IP address to associated domains, to related threat actor infrastructure, to published MDTI articles documenting the actor’s campaigns. Threat actor articles in MDTI include MITRE ATT&CK mapping for observed TTPs, targeted industry and geography profiles, related aliases across threat intelligence communities, and actionable IOCs that link directly into blocking or hunting actions in Defender XDR and Sentinel. Vulnerability articles add CVE-level intelligence with a Defender TI Priority Score — a proprietary algorithm that combines CVSS score, active exploit evidence, dark web chatter, and malware linkage to produce a prioritized remediation queue that outperforms CVSS-only prioritization. At Microsoft Ignite 2025, Microsoft integrated a Threat Intelligence Briefing Agent directly into the Defender portal — an AI-driven assistant that synthesizes current threat intelligence into briefings tailored to the analyst’s current investigation context, reducing the time between detection and context-aware response. The critical platform update announced in early 2026 is MDTI’s retirement as a standalone product: Microsoft announced that MDTI will be discontinued and its capabilities merged into Microsoft Defender XDR and Microsoft Sentinel by August 1, 2026, consolidating the threat intelligence workflow into the same platform where security operations and SIEM analysis occur. Microsoft’s official MDTI documentation provides the current platform feature reference for security teams evaluating how MDTI capabilities integrate into their existing Defender and Sentinel deployments ahead of the August 2026 consolidation deadline.
Frequently Asked Questions
What is Microsoft Security Intelligence?
Microsoft Security Intelligence refers to the threat intelligence capabilities Microsoft generates from processing 100 trillion security signals daily across Windows, Azure, and Microsoft 365. It encompasses: MSTIC (Microsoft Threat Intelligence Center) — the internal research unit tracking 300+ threat actor groups; Microsoft Digital Defense Report — the annual threat intelligence report published since 2005 synthesizing Microsoft’s threat data; Microsoft Defender Threat Intelligence (MDTI) — the analyst platform for threat hunting, IOC analysis, and infrastructure investigation; and the threat intelligence integrated into Microsoft Sentinel and Defender XDR. Microsoft Security Intelligence is distinguished by data scale — the 100 trillion daily signals give Microsoft visibility into threat infrastructure and attack patterns at a scope no private threat intelligence provider can match.
What are the key findings of the Microsoft Digital Defense Report 2025?
Microsoft Digital Defense Report 2025 key findings: 52% of cyberattacks with identified motivations are driven by extortion and ransomware — financially motivated crime dominates, not nation-state espionage; espionage accounts for only 4% of attacks; 80% of incidents involved data theft attempts; MFA (phishing-resistant) blocks 99%+ of identity-based attacks; Microsoft blocks 4.5 million new malware attempts, analyzes 38 million identity risk detections, and scans 5 billion emails daily. Nation-state threat actors documented: China expanding into commercial targets via vulnerable network devices; Russia targeting NATO-adjacent small businesses; North Korea combining espionage and financial crime through IT worker programs. Core implication: most organizations are primarily at risk from financially motivated cybercriminals, not nation-states — and the most cost-effective defense is phishing-resistant MFA.
What is MSTIC (Microsoft Threat Intelligence Center)?
MSTIC (Microsoft Threat Intelligence Center) is Microsoft’s internal threat research unit responsible for tracking nation-state and criminal threat actors, naming and attributing cyberattacks, and incorporating adversary intelligence into Microsoft’s security products. MSTIC tracks 300+ distinct threat actor groups using a weather-themed naming taxonomy: Blizzard (Russia-linked), Typhoon (China-linked), Sleet (North Korea-linked), Sandstorm (Iran-linked), Tempest (financially motivated). MSTIC analysts access telemetry from Windows, Azure, and Microsoft 365 to detect new threat actor infrastructure, attribute attacks to specific groups, and produce threat intelligence that feeds Microsoft Defender, Sentinel, and the public Microsoft Security blog. Notable MSTIC-tracked actors in 2025: Forest Blizzard (Russian GRU SOHO router exploitation), Sapphire Sleet (North Korean macOS intrusion campaigns), and Iranian Sandstorm-affiliated groups targeting logistics infrastructure.
What is Microsoft Defender Threat Intelligence (MDTI) and what happens after August 2026?
Microsoft Defender Threat Intelligence (MDTI) is a threat intelligence analyst platform providing access to Microsoft’s internet infrastructure datasets (passive DNS, WHOIS, SSL certificates, subdomain data, URL detonation analysis), threat actor profiles with MITRE ATT&CK mapping, vulnerability articles with priority scoring, reputation scoring for IPs and domains, and IOC analysis tools for threat hunting and incident response workflows. Microsoft announced in early 2026 that MDTI will be retired as a standalone product on August 1, 2026 and merged into Microsoft Defender XDR and Microsoft Sentinel — consolidating threat intelligence capabilities directly into the SIEM and XDR platforms where security operations occur. Existing MDTI customers retain full access until the retirement date. After August 2026, the equivalent functionality will be accessible within the Defender portal and Sentinel, including the Threat Intelligence Briefing Agent integrated at Microsoft Ignite 2025.
