Research
Microsoft Digital Defense 2024: 600M Identity Attacks per Day
Microsoft Entra blocks roughly 600 million identity attacks per day. Over 99% are password-based. The volume of attacks per second has reached 7,000. MFA fatigue, SIM swapping, and adversary-in-the-middle phishing are the dominant bypass tactics for the MFA-enabled minority.
Key Finding
Identity attack volume is now a constant. The marginal cost of attempting another credential combination is approximately zero, so attackers attempt every combination. Architecture has to assume credential-based attacks are continuous, not exceptional.
Microsoft's annual Digital Defense Report draws on telemetry from Microsoft Entra, Microsoft 365, Azure, and Microsoft's security graph. The 2024 edition reported approximately 600 million identity attacks per day blocked by Entra, of which more than 99% were password-based. The peak attack-per-second figure reached 7,000.
The report also tracked the shift in attacker tactics for the MFA-protected minority. Adversary-in-the-Middle (AiTM) phishing kits, MFA fatigue (push-spam followed by social engineering), SIM swapping, and post-authentication attacks on tokens are now standard tradecraft. The implication is that "MFA enabled" is no longer a defensible end-state — phishing-resistant MFA (FIDO2, platform authenticators, certificate-based) is the meaningful bar.
For identity architecture the data does not support the still-common claim that "well-configured MFA is good enough." 600 million attacks per day, with tactics specifically designed to bypass conventional MFA, makes phishing-resistant authentication a baseline requirement for anything that matters.
Need help with your identity architecture?
Every incident on this page was preventable with the right architecture. Let's talk about yours.
Book a Conversation