A new Microsoft Digital Defense Report 2025 ranks Switzerland among Europe’s top ten most-attacked nations, highlighting a dramatic escalation in identity-based cyberattacks.
Between July 2024 and June 2025, Switzerland placed ninth in Europe and twenty-second globally, accounting for 3.3 percent of all European organizations affected by cyber incidents.
The findings mark a strategic shift in the threat landscape—away from opportunistic malware toward targeted identity compromise and AI-driven credential abuse.

Identity Becomes the Primary Attack Vector

According to the report, identity-based attacks rose by 32 percent in the first half of 2025.
An overwhelming 97 percent of these incidents involved password attacks, where adversaries systematically guess or reuse credentials obtained from prior breaches.
This trend confirms what security leaders have long feared: user accounts have become the most exploited entry point into enterprise environments.

Microsoft notes that 52 percent of global cyberattacks were motivated by ransomware or extortion, while 80 percent sought direct financial gain.
Espionage represented only 4 percent of cases, showing that criminal monetization—rather than nation-state surveillance—now drives the majority of global cyber activity.
However, state-sponsored actors from Russia, China, Iran, and North Korea remain active and increasingly intertwined with criminal infrastructures, blurring traditional threat boundaries.

Critical Infrastructure in the Crosshairs

Hospitals, educational institutions, and transport networks across Switzerland have faced heightened pressure from identity-driven intrusions.
Such attacks can delay emergency care, disrupt logistics, and erode public confidence.
Because credentials often unlock multiple systems, even a single compromised account can cascade into systemic outages—a scenario already observed in several European healthcare and municipal sectors.

AI on Both Sides of the Battlefield

The 2025 report underscores how artificial intelligence now accelerates both offense and defense.
Attackers use AI to automate phishing, password spraying, and reconnaissance at unprecedented scale.
Defenders respond with AI-enhanced detection, behavioral analytics, and automated containment workflows, shortening the Mean Time to Neutralization (MTTN)—a critical factor in modern resilience models such as the Automated Resilience Index (ARI).

“Cyber-resilience is no longer optional”

Marc Holitscher, National Technology Officer at Microsoft Switzerland, summarized the implications succinctly:

“Organizations must strengthen identity controls, update critical systems, and review their response plans regularly. Cyber-resilience is no longer optional—it is a fundamental requirement for every business.”

From Awareness to Automated Resilience

The surge in identity-based attacks validates a growing industry consensus: awareness metrics like click-through rates are insufficient.
True resilience lies in how quickly and autonomously an enterprise neutralizes identity misuse.
By integrating identity-protection signals from Microsoft Entra ID, SOAR playbooks, and conditional-access enforcement, organizations can quantify and continuously improve their Automated Resilience Index (ARI) — a new approach and metric that measures containment success and automation efficiency.