Microsoft Security Intelligence Report: History, Evolution, and Key Findings (2026)

The Microsoft Security Intelligence Report (SIR) was the most comprehensive annual security report published by any technology vendor from its launch in 2006 through its final volumes around 2019. Based on telemetry from hundreds of millions of Windows systems worldwide, it documented malware prevalence, vulnerability exploitation rates, and threat actor activity at a scale no other vendor could match. Microsoft has since evolved the report into the Microsoft Digital Defense Report (MDDR), now drawing on 78 trillion security signals processed daily. Understanding both the original SIR and its successor provides essential context for security leaders who rely on Microsoft’s ecosystem intelligence for annual threat briefings and investment decisions.

The Microsoft Security Intelligence Report: What It Was and What Replaced It

The Microsoft Security Intelligence Report was published semi-annually, then annually, starting in 2006. At its peak, it analyzed malware telemetry from hundreds of millions of Windows systems running Microsoft’s Malicious Software Removal Tool (MSRT), combined with Bing Safe Search data, email threat statistics from Exchange Online Protection, and vulnerability data from Microsoft’s Security Response Center. Each volume provided a global malware landscape view and regional breakdowns that were unavailable from any other source — only Microsoft had visibility across consumer, SMB, and enterprise endpoints at that scale.

Key Volumes and Their Significance

Early SIR volumes (1-10) focused primarily on malware prevalence by category — trojans, worms, exploits, potentially unwanted software — with regional infection rate maps that became standard references in security research. Later volumes introduced threat intelligence on exploit kits, ransomware trends, and email-based attack vectors. Volume 19 and later volumes expanded into social engineering and phishing analysis. The final SIR volumes overlapped with the transition to cloud-centric security telemetry, which required a different reporting framework. Microsoft has published 12,000+ pages of security insights since 2005, spanning the SIR era through the current MDDR format.

Microsoft Digital Defense Report: The SIR’s Successor

The Microsoft Digital Defense Report (MDDR), launched in 2020, replaced the SIR with a broader scope: where the SIR focused primarily on endpoint malware and vulnerability data, the MDDR integrates threat intelligence from Microsoft Defender, Azure, Office 365, Microsoft Sentinel, and the Microsoft Threat Intelligence Center (MSTIC). Its 78 trillion daily security signals provide a uniquely comprehensive view of the threat landscape. The MDDR is published annually each October and is freely available — making it the most data-rich free threat intelligence publication available to security leaders.

Key Findings from the Microsoft Digital Defense Report 2024 and 2025

The MDDR findings are directly applicable to security investment decisions, particularly for organizations running Microsoft-heavy environments. The 2024 and 2025 editions contain findings that should inform endpoint security, identity security, and email protection strategies for any enterprise security program.

MDDR 2024: Nation-State Targeting and Vulnerability Disclosure

The 2024 MDDR identified the IT sector as the most targeted by nation-state threat actors at 24% of all incidents, followed by Education and Research at 21% and Government at 12%. This sector targeting data is directly usable in board-level risk briefings: organizations in these sectors can reference Microsoft’s dataset to contextualize their threat exposure relative to the broader threat landscape. Microsoft also disclosed a record 1,360 vulnerabilities in 2024, with critical vulnerabilities dropping to 78 — a finding relevant to patch prioritization programs, as lower critical counts can create false comfort in vulnerability management programs that track only critical severity.

MDDR 2025: Identity Attacks and AI-Powered Phishing

The 2025 MDDR’s two most actionable findings for security investment decisions are the identity attack distribution and AI-enhanced phishing effectiveness. Password spray attacks accounted for 97% of all identity attacks in the Microsoft dataset — meaning that for organizations using Microsoft Entra ID (formerly Azure AD), the single highest-ROI security control is enforcing phishing-resistant MFA rather than expanding detection tooling for more sophisticated attack vectors. AI-driven phishing campaigns were found to be three times more effective than traditional campaigns, a statistic that directly informs the urgency of security awareness training refresh cycles and email gateway investment. The MDDR 2025 also identified the United States, United Kingdom, Israel, and Germany as the leading cyberattack targets globally, with over 40% of ransomware attacks including a hybrid IT/OT component.

How to Use the MDDR for Security Program Planning

The MDDR is most effectively used as a benchmark document rather than a real-time intelligence feed. Security leaders should extract three categories of findings: (1) sector targeting data to validate or update threat actor relevance assessments, (2) attack vector distribution to check investment allocation against actual attack patterns, and (3) specific statistics for board-level risk briefings where external data carries more weight than internal assessments. The MDDR’s companion resources — the Security Insider blog and quarterly threat intelligence reports — provide more current data between annual publication cycles.

The most commonly misused section of the MDDR is the vulnerability disclosure data. The record 1,360 vulnerabilities disclosed by Microsoft in 2024 does not mean the attack surface expanded proportionally — the drop in critical vulnerabilities to 78 is the more operationally relevant figure, indicating that severity distribution shifted toward lower-risk issues even as raw count increased. Vulnerability management programs that track total count without severity weighting will overreact to this data. Security leaders should present the 78 critical vulnerabilities figure to boards, not the 1,360 total — the framing matters for resource allocation decisions.

For organizations building or refreshing their annual threat briefing for a board or audit committee, the MDDR provides the external validation that internal security teams cannot provide for themselves. A statement like “Microsoft’s dataset of 78 trillion daily security signals shows password spray attacks account for 97% of identity attacks globally — our MFA deployment covers 94% of accounts, leaving 6% exposed to the dominant attack vector” converts MDDR data into a specific, measurable, board-ready risk statement. This translation — from vendor data to organizational risk narrative — is the primary value of annual security intelligence reports for executive audiences.