This chapter covers the modern threat landscape, a foundational topic for the SC-900 exam. Understanding the current state of cybersecurity threats—including types of attacks, threat actors, and attack vectors—is critical because it contextualizes why Microsoft's security, compliance, and identity solutions exist. Approximately 10-15% of exam questions touch on threat landscape concepts, often as scenario-based questions asking you to identify the threat type or appropriate mitigation. This chapter provides the precise technical and conceptual knowledge you need to answer those questions correctly.
Jump to a section
Imagine a modern city where every building (organization) has multiple entrances (attack surfaces), valuables (data) stored in various rooms (cloud, on-premises, hybrid), and a constant flow of visitors (users, devices, applications). The city is not walled off; it's connected by roads (the internet) to other cities (partner networks, public cloud services). Threat actors are like sophisticated criminal organizations that don't just pick locks—they study the city's layout, exploit weak doors (vulnerabilities), trick employees into opening gates (phishing), or even bribe insiders (insider threats). They use automated tools (bots) to scan every window for an open latch, and they coordinate attacks across multiple buildings simultaneously (distributed attacks). The city's security team must monitor all entrances, track foot traffic (user behavior analytics), and respond to alarms in real time. This is the modern threat landscape: a dynamic, interconnected environment where threats are persistent, automated, and often state-sponsored, requiring a layered defense strategy (defense-in-depth) and continuous monitoring.
What Is the Modern Threat Landscape?
The modern threat landscape refers to the current state of cybersecurity threats, including the types of attacks, the actors behind them, their motivations, and the evolving techniques they use. It is not static; it changes daily as new vulnerabilities are discovered, new attack methods are developed, and defenders adapt. For the SC-900 exam, you must understand the key categories of threats, common attack vectors, and the terminology Microsoft uses to describe them.
Why It Exists: The Shift in Computing
The explosion of cloud computing, remote work, mobile devices, and IoT has expanded the attack surface dramatically. Traditional perimeter-based security (firewalls, VPNs) is no longer sufficient because data and users are everywhere. Attackers exploit this complexity. The modern threat landscape is characterized by:
Volume: Millions of attacks daily. Microsoft blocks over 25 billion password attacks per day.
Sophistication: Attacks use AI, automation, and multi-stage techniques (e.g., ransomware with data exfiltration and double extortion).
Targeting: Attacks target identities (phishing, credential theft) more than infrastructure.
Speed: Time-to-compromise can be minutes; ransomware deployment can occur within hours.
Key Threat Categories
#### 1. Malware Malware is malicious software designed to damage, disrupt, or gain unauthorized access. Common types: - Ransomware: Encrypts data and demands payment. Modern variants also exfiltrate data (double extortion). Example: Conti, LockBit. - Trojan: Disguised as legitimate software. Example: Emotet (dropper for other malware). - Worms: Self-replicating malware that spreads without user interaction. Example: Stuxnet. - Spyware: Secretly monitors user activity. Example: Pegasus. - Fileless Malware: Operates in memory to avoid detection. Uses PowerShell or WMI.
#### 2. Phishing Phishing is a social engineering attack where attackers impersonate legitimate entities to trick users into revealing sensitive information (credentials, financial data) or installing malware. Types: - Spear Phishing: Targeted at specific individuals or organizations. - Whaling: Targets senior executives (C-level). - Smishing: SMS-based phishing. - Vishing: Voice-based phishing (phone calls). - Clone Phishing: Legitimate email is cloned with malicious links/attachments.
#### 3. Password Attacks - Brute Force: Trying all possible password combinations. - Dictionary Attack: Using common passwords or dictionary words. - Credential Stuffing: Using compromised credentials from one service to access another. - Password Spraying: Trying a few common passwords against many accounts.
#### 4. Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Overwhelming a target system with traffic to make it unavailable. DDoS uses multiple compromised devices (botnet). Example: Mirai botnet (IoT devices).
#### 5. Man-in-the-Middle (MitM) Attacker intercepts communication between two parties. Common on unencrypted Wi-Fi. Can steal data or inject malicious content.
#### 6. Zero-Day Exploit An attack that exploits a vulnerability unknown to the vendor. No patch exists. Highly valuable to attackers.
#### 7. Insider Threats Threats from within the organization: malicious (disgruntled employee) or accidental (data leak by mistake).
Threat Actors and Motivations
Cybercriminals: Motivated by financial gain (ransomware, credit card theft).
Nation-State Actors: Motivated by espionage, sabotage, political influence. Highly sophisticated. Example: APT29 (Cozy Bear).
Hacktivists: Motivated by political or social causes. Deface websites, DDoS.
Insiders: Motivated by revenge, greed, or carelessness.
Terrorist Groups: Motivated by disruption or propaganda.
Attack Vectors
An attack vector is the path or method used by an attacker to gain access. Common vectors: - Email: Phishing, malicious attachments. - Web: Drive-by downloads, malicious ads (malvertising). - Removable Media: USB drops. - Network: Exploiting open ports, weak protocols (SMB, RDP). - Identity: Compromising user credentials. - Supply Chain: Compromising third-party software or hardware. Example: SolarWinds.
The Cyber Kill Chain
Developed by Lockheed Martin, this framework describes stages of a cyberattack: 1. Reconnaissance: Research target (open-source intelligence, scanning). 2. Weaponization: Create exploit (e.g., malicious document). 3. Delivery: Send exploit (email, web). 4. Exploitation: Trigger exploit on target system. 5. Installation: Install malware (backdoor). 6. Command & Control (C2): Establish channel to attacker. 7. Actions on Objectives: Data exfiltration, encryption, etc.
Microsoft's Threat Intelligence
Microsoft uses the Microsoft Intelligent Security Graph, which collects and analyzes 8 trillion signals daily. This feeds into products like Microsoft Defender for Endpoint, Defender for Office 365, and Azure Sentinel. Key threat terms from Microsoft: - Microsoft Threat Protection (MTP): Integrated suite. - Microsoft Defender for Cloud: Protects cloud workloads. - Microsoft 365 Defender: Cross-product security.
Defense-in-Depth Strategy
Layered security approach: - Physical: Data center security. - Identity: MFA, Conditional Access. - Network: Firewalls, segmentation. - Application: Secure coding, web application firewalls. - Data: Encryption, DLP. - Endpoint: Antivirus, EDR. - User Training: Security awareness.
Exam-Relevant Numbers and Values
Microsoft blocks 25+ billion password attacks daily.
Over 300 million fraudulent sign-in attempts daily.
8 trillion threat signals processed daily by Microsoft Intelligent Security Graph.
Over 90% of cyberattacks start with phishing.
Average cost of a data breach: $4.45 million (IBM 2023).
Ransomware dwell time: median 5 days (but can be hours).
Common Attack Patterns Tested on SC-900
Ransomware: Recognize double extortion.
Phishing vs. Spear Phishing: Spear phishing is targeted.
DDoS vs. DoS: DDoS is distributed.
Insider Threat: Malicious vs. accidental.
Zero-Day: Unknown vulnerability.
How to Identify Threats in Scenarios
If an attack uses a malicious email to a specific executive: spear phishing/whaling.
If an attack uses a known vulnerability with no patch: zero-day.
If an attack encrypts data and demands payment: ransomware.
If an attack comes from a disgruntled employee: insider threat.
If an attack floods a server with traffic: DDoS.
Interplay with Microsoft Solutions
Microsoft Defender for Office 365 protects against phishing.
Microsoft Defender for Endpoint protects against malware.
Azure DDoS Protection mitigates DDoS.
Microsoft Entra ID (Azure AD) protects identities with MFA and Conditional Access.
Microsoft Purview provides data protection and compliance.
Summary of Key Terminology
Threat: Potential violation of security.
Vulnerability: Weakness that can be exploited.
Risk: Likelihood of a threat exploiting a vulnerability.
Attack Surface: Sum of all points where an attacker can enter.
Attack Vector: Method used to gain access.
Indicators of Compromise (IoC): Evidence of a breach (e.g., IP addresses, file hashes).
Indicators of Attack (IoA): Patterns indicating an attack in progress.
Exam Tips
Know the difference between a threat, vulnerability, and risk.
Be able to identify attack types from a description.
Memorize key Microsoft numbers (25 billion password attacks).
Understand the Cyber Kill Chain stages.
Recognize that the modern threat landscape requires a zero-trust approach (never trust, always verify).
Reconnaissance: Gather Target Information
The attacker collects information about the target using open-source intelligence (OSINT), social engineering, network scanning, or dumpster diving. They identify IP addresses, email formats, employee names, software versions, and potential vulnerabilities. Tools like Shodan, Maltego, or Nmap are used. This stage is passive (no direct interaction) or active (scanning). In the exam, recognize that reconnaissance is the first step in the Cyber Kill Chain.
Weaponization: Create the Attack Tool
The attacker couples a payload (exploit) with a delivery mechanism. For example, they create a malicious Microsoft Office document with a macro that downloads a trojan, or a specially crafted email link that leads to a credential harvesting page. Weaponization often involves exploit kits like Angler or Magnitude. This step occurs offline, before delivery.
Delivery: Transmit the Weapon to Target
The attacker delivers the weaponized payload via email attachment, malicious URL, USB drop, or direct network exploitation. Phishing emails are the most common delivery method. The delivery must bypass security controls like email filters or web proxies. If the user interacts (clicks link/opens attachment), the attack proceeds.
Exploitation: Trigger the Exploit
The exploit code is executed on the target system, often by the user opening the malicious file or clicking the link. This step exploits a vulnerability in software (e.g., unpatched browser, outdated Office). The exploit may be a buffer overflow, script injection, or macro execution. Successful exploitation gives the attacker a foothold.
Installation: Establish Persistence
The attacker installs malware (backdoor, trojan, ransomware) on the compromised system. They may use techniques like registry modification, scheduled tasks, or service installation to maintain access even after reboot. Fileless malware may run only in memory. The attacker now has a persistent presence.
Command and Control: Establish C2 Channel
The malware contacts an external command-and-control (C2) server to receive instructions or exfiltrate data. C2 communication often uses HTTP/HTTPS to blend with normal traffic, or DNS tunneling. The attacker can now issue commands (e.g., download additional tools, move laterally). Detection often focuses on anomalous outbound traffic.
Actions on Objectives: Achieve Goal
The attacker achieves their objective: data exfiltration, encryption (ransomware), destruction, or espionage. In double extortion ransomware, data is exfiltrated before encryption. The attacker may also move laterally to other systems to expand access. This is the final stage; the defender must detect and respond before objectives are completed.
Enterprise Scenario 1: Ransomware Attack on a Hospital
A large hospital network uses Microsoft 365 and Azure. An employee receives a spear-phishing email appearing to be from IT, asking to click a link to verify credentials. The link leads to a credential harvesting page that captures the employee's username and password. The attacker then uses those credentials to access the hospital's Azure AD, bypassing MFA because the employee had not yet enrolled. The attacker uses Azure AD Connect to sync credentials and then deploys ransomware via Group Policy to all domain-joined machines. The hospital's patient records are encrypted, and the attacker demands $5 million. The hospital had Microsoft Defender for Office 365 but lacked anti-phishing policies for impersonation. They also had no Conditional Access policy requiring MFA for all users. The attack succeeded because of weak identity protection and lack of user training. In production, organizations must enforce MFA, use Conditional Access, and deploy anti-phishing protection. Microsoft Defender for Endpoint can detect lateral movement and alert security teams. The hospital's recovery took weeks and cost millions.
Enterprise Scenario 2: DDoS Attack on an E-Commerce Site
An e-commerce company experiences a DDoS attack during Black Friday. The attack uses a botnet of compromised IoT devices (Mirai variant) to flood the company's web servers with traffic, causing the site to go offline. The company had Azure DDoS Protection Basic (free, but limited) which only protects against network-layer attacks. The attack was application-layer (HTTP flood), which Basic does not mitigate. They upgraded to Azure DDoS Protection Standard, which uses adaptive tuning and automatic mitigation for application-layer attacks. The attack was mitigated within minutes. In production, companies must choose the appropriate DDoS protection tier and combine it with Web Application Firewall (WAF) for application-layer attacks. Common misconfiguration: relying only on Basic protection for critical services.
Enterprise Scenario 3: Insider Threat at a Financial Firm
A financial firm's employee with access to customer financial data downloads sensitive information onto a USB drive before leaving the company. The firm had Data Loss Prevention (DLP) policies in Microsoft Purview but did not apply them to USB transfers. The exfiltration was detected only after a routine audit. In production, DLP policies should cover all endpoints and removable media. Microsoft Purview Information Protection can classify and label sensitive data, and prevent unauthorized transfers. The firm also lacked user behavior analytics (UBA) that could have flagged the unusual download volume. Microsoft Defender for Cloud Apps can detect anomalous behavior. Common pitfall: focusing DLP only on email and ignoring USB or cloud storage.
What SC-900 Tests on This Topic
The SC-900 exam objective 1.1 'Describe the concepts of security, compliance, and identity' includes understanding the modern threat landscape. Specifically, you must be able to:
Describe common types of threats (malware, phishing, password attacks, DDoS, insider threats, zero-day).
Differentiate between threat actors and their motivations.
Understand the Cyber Kill Chain framework.
Recognize the importance of defense-in-depth.
Identify Microsoft's role in threat intelligence (Intelligent Security Graph, 8 trillion signals).
Common Wrong Answers and Why Candidates Choose Them
Confusing phishing with spear phishing: Many candidates think all phishing is generic. The exam tests that spear phishing is targeted. Wrong answer: 'Phishing is always mass-distributed.' Reality: Spear phishing is targeted to specific individuals.
Thinking ransomware only encrypts data: Modern ransomware often exfiltrates data first (double extortion). Wrong answer: 'Ransomware only encrypts files.' Reality: Attackers also steal data to increase leverage.
Believing DDoS and DoS are the same: The exam distinguishes them: DDoS uses multiple sources. Wrong answer: 'DDoS is just a larger DoS.' Reality: DDoS is distributed, making mitigation harder.
Assuming zero-day exploits are always patched quickly: Zero-day means no patch exists. Wrong answer: 'Zero-day exploits are patched within 24 hours.' Reality: By definition, no patch is available.
Confusing threat, vulnerability, and risk: Threat is potential danger; vulnerability is weakness; risk is likelihood and impact. Wrong answer: 'A vulnerability is a threat.' Reality: Vulnerability is a weakness that can be exploited by a threat.
Specific Numbers and Terms That Appear Verbatim
'8 trillion threat signals daily' from Microsoft Intelligent Security Graph.
'25 billion password attacks per day' blocked by Microsoft.
'Over 300 million fraudulent sign-in attempts daily.'
'Cyber Kill Chain' stages: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, Actions on Objectives.
'Defense-in-depth' as a layered security approach.
'Zero Trust' model: never trust, always verify.
Edge Cases and Exceptions
Insider threat can be accidental or malicious: The exam tests both. Accidental insider threat (e.g., sending data to wrong recipient) is still a threat.
Malware can be fileless: The exam may ask about malware that runs in memory without writing to disk.
Ransomware can target cloud data: Not just on-premises; cloud storage can be encrypted if credentials are compromised.
DDoS can target application layer (Layer 7): Azure DDoS Protection Standard covers application layer; Basic does not.
How to Eliminate Wrong Answers
If a question describes an attack using a malicious email with a specific target, eliminate 'phishing' and choose 'spear phishing'.
If a question mentions an unknown vulnerability exploited before a patch, eliminate all answers not mentioning 'zero-day'.
If a question describes data encryption and exfiltration with ransom demand, eliminate 'ransomware' is correct; double extortion is implied.
If a question describes a flood of traffic from many sources, eliminate 'DoS' and choose 'DDoS'.
If a question asks about the first step in Cyber Kill Chain, eliminate anything other than 'Reconnaissance'.
The modern threat landscape includes malware, phishing, password attacks, DDoS, insider threats, and zero-day exploits.
The Cyber Kill Chain has 7 stages: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, Actions on Objectives.
Microsoft blocks over 25 billion password attacks daily and processes 8 trillion threat signals daily.
Defense-in-depth uses multiple layers of security: physical, identity, network, application, data, endpoint, and user training.
Zero Trust is a security model that assumes no implicit trust and verifies every access request.
Phishing is the most common attack vector; spear phishing is targeted phishing.
Ransomware often uses double extortion: data exfiltration plus encryption.
Insider threats can be malicious or accidental.
DDoS attacks can target network or application layers.
Zero-day exploits target vulnerabilities unknown to the vendor.
These come up on the exam all the time. Here's how to tell them apart.
Phishing
Sent to a large number of recipients indiscriminately.
Generic content (e.g., 'Dear Customer').
Low success rate; relies on volume.
Often blocked by spam filters due to mass distribution.
Example: Fake PayPal email sent to millions.
Spear Phishing
Targeted at specific individuals or organizations.
Personalized content using victim's name, job title, etc.
Higher success rate due to customization.
Harder to detect because it appears legitimate.
Example: Email to CFO impersonating CEO requesting wire transfer.
DoS Attack
Originates from a single source.
Easier to block by blacklisting the source IP.
Less bandwidth; easier to mitigate.
Often used as a smokescreen for other attacks.
Example: Ping flood from one computer.
DDoS Attack
Originates from multiple sources (botnet).
Harder to block due to distributed IPs.
Can generate massive traffic (Tbps).
Requires specialized mitigation services (e.g., Azure DDoS Protection).
Example: Mirai botnet attacking DNS provider Dyn.
Mistake
Phishing always involves email.
Correct
Phishing can occur via SMS (smishing), voice calls (vishing), social media messages, or even physical mail. The exam may test non-email phishing vectors.
Mistake
Ransomware only encrypts files and demands payment.
Correct
Modern ransomware often exfiltrates data before encryption (double extortion). Attackers threaten to leak data if ransom is not paid.
Mistake
A zero-day exploit is one that has been known for zero days.
Correct
A zero-day exploit targets a vulnerability unknown to the vendor, so no patch exists. It is not about time since discovery; it's about vendor awareness.
Mistake
DDoS attacks only target network bandwidth.
Correct
DDoS can target application layer (Layer 7) with HTTP floods, SSL exhaustion, or DNS query floods. Mitigation requires application-level protection.
Mistake
Insider threats are always malicious.
Correct
Insider threats can be accidental (e.g., employee clicks phishing link, loses device). Both types are covered in SC-900.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A threat is a potential danger (e.g., a hacker). A vulnerability is a weakness (e.g., unpatched software). Risk is the likelihood that a threat will exploit a vulnerability, combined with the potential impact. For example, an unlocked door (vulnerability) and a burglar (threat) create a risk of theft. The SC-900 exam may ask you to differentiate these terms in a scenario.
The Cyber Kill Chain has 7 stages: (1) Reconnaissance – gathering information; (2) Weaponization – creating the exploit; (3) Delivery – sending the exploit; (4) Exploitation – triggering the exploit; (5) Installation – installing malware; (6) Command & Control – establishing a channel to attacker; (7) Actions on Objectives – achieving the goal (e.g., data theft). The exam may ask you to identify which stage a given activity belongs to.
The Microsoft Intelligent Security Graph collects and analyzes 8 trillion threat signals daily from across the Microsoft ecosystem (Windows, Azure, Office 365, etc.). It uses machine learning to detect and respond to threats in real time. This intelligence feeds into Microsoft security products like Defender for Endpoint and Azure Sentinel, enabling automated detection and remediation. The exam may ask about the scale of signals.
Double extortion ransomware is a type of ransomware that not only encrypts the victim's data but also exfiltrates it before encryption. The attacker then demands a ransom for the decryption key and threatens to leak the stolen data if the ransom is not paid. This increases pressure on the victim. The SC-900 exam may test this concept as a modern ransomware variant.
A zero-day vulnerability is a software flaw unknown to the vendor. A zero-day exploit is code that takes advantage of that vulnerability. Both terms are often used interchangeably, but the exam may distinguish them: vulnerability is the weakness; exploit is the attack code. Zero-day means no patch is available at the time of discovery.
Organizations can protect against phishing using: (1) Microsoft Defender for Office 365 with anti-phishing policies that detect impersonation; (2) Multi-factor authentication (MFA) to prevent credential theft; (3) User training to recognize phishing emails; (4) Safe Links and Safe Attachments in Defender; (5) Conditional Access policies to block suspicious sign-ins. The exam may ask which Microsoft tool provides anti-phishing protection.
Defense-in-depth is a layered security strategy that uses multiple controls across different areas (physical, identity, network, application, data, endpoint, user training) to protect assets. If one layer fails, others still provide protection. It's like having multiple locks on a door. The exam expects you to understand that no single security measure is sufficient.
You've just covered The Modern Threat Landscape — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?