Microsoft 365 behind 32% of escalated security incidents

Simply Data has released its Malaysia Cyber Threat Report 2025, which found that Microsoft 365 accounted for 32% of escalated security incidents among the Malaysian organisations it monitored.

The findings are based on data from the company's round-the-clock Security Operations Centre, which analysed more than 120.6 billion security logs in 2025. Those logs generated 12.4 million alerts, of which 3,945 were escalated as confirmed incidents requiring intervention.

Covering customers in Malaysia across more than 10 industries, the report presents a local view of cyber threats affecting businesses in the country. It identifies Microsoft 365, including Exchange Online, SharePoint, Teams and Azure AD, as the main attack surface observed by the firm's analysts.

Attackers were found to be exploiting misconfigured conditional access policies, weak multi-factor authentication implementation and compromised credentials. Some of those credentials were obtained through phishing campaigns and activity on Dark Web markets.

Targeted Sectors

Education, logistics and large conglomerates were the three sectors most frequently targeted. The education sector stood out because of its large user bases, tighter IT security budgets and the volume of sensitive data held by institutions.

Logistics groups also featured prominently, a pattern the report links to Malaysia's position as a regional trade hub. Large conglomerates, meanwhile, faced persistent attacks directed at subsidiary networks.

The report also highlights malicious activity linked to Malaysian organisations beyond internal systems. In 2025, Simply Data's threat intelligence team detected 33.2 million malicious indicators of compromise on the Dark Web that were directly tied to Malaysian entities.

These included stolen corporate credentials, VPN access credentials offered for sale and sensitive documents traded in closed cybercriminal forums. The findings suggest that external monitoring has become an important part of cyber defence for businesses whose data or access details may already be circulating online.

One of the report's central conclusions is that cloud office software has become a major point of weakness for many organisations. The prominence of Microsoft 365 in the incident data suggests attackers are focusing on widely used collaboration and identity systems that can provide broad access once an account is compromised.

That trend has consequences beyond email security. Access to identity systems such as Azure AD can give intruders a route into file storage, internal communications and connected business applications, making credential theft a more serious operational risk.

Simply Data's Head of Threat Intelligence commented on the Dark Web findings:

"The Dark Web data is alarming. Malaysian corporate credentials are actively being traded on cybercriminal forums. Organisations that are not monitoring Dark Web activity for their domain names and IP ranges are flying blind."

Broader Risks

Alongside its review of 2025 incidents, the report points to several threats that organisations in Malaysia are likely to face more often. Phishing attacks are expected to become more convincing as criminals use generative AI tools to produce targeted emails in both Bahasa Malaysia and English.

Supply chain attacks aimed at third-party vendors were also identified as a growing concern. The report adds that ransomware risk remains high in the education and logistics sectors, particularly after Microsoft 365 credentials have been compromised.

Simply Data is headquartered in Kuala Lumpur and provides security operations, managed detection and response, penetration testing, threat intelligence and application performance monitoring services. Its Security Operations Centre supports clients in sectors including financial services, education, logistics, healthcare and government.

The figures in the report underline the scale of cyber monitoring now required by security teams in Malaysia, with 12.4 million alerts reduced to fewer than 4,000 confirmed incidents that needed action.