Taiwan's critical infrastructure experienced 2.63 million cyberattacks per day in 2025. That is a 113% surge from 2023. Energy grids, hospitals and emergency services were mapped, probed and tested in coordinated waves that synchronised with military operations.
You might assume this is a problem for critical national infrastructure, not a 500-person UK manufacturer or a mid-market professional services firm.
But you would be wrong.
Nation-state reconnaissance can already be happening in your Microsoft tenant. It does not have to look like millions of attacks. It can look like a handful of quiet behaviours that add up to intent: read-only cloud discovery by rare apps, steady service principal sign-ins from narrow IP ranges, off-hours probing of Conditional Access policies.
Why Scaling Firms Can Be a Target
Large organisations have hardened their defences: Direct attacks are expensive and noisy.
Nation-state actors pivot to lower-resistance paths: Your supplier integrations, partner APIs and B2B guest accounts.
The pattern is consistent across UK estates we monitor: Attackers favour patience over speed.
They map your environment with read-only permissions for weeks before any exploit: They identify who approves payments, which service principals can change bank details, which supplier APIs accept updates and where Conditional Access is weakest.
Then they act. Not with malware or phishing, but with a legitimate API call from a trusted app that quietly alters data and cash flow.
What Nation-state Reconnaissance Looks Like in Your Tenant
You will not see headline volumes. You will see low-and-slow patterns that most organisations miss because totals look flat.
Six Signals that Distinguish Nation-state Reconnaissance from Opportunistic Attacks
1. Low-and-Slow, Asset-Aware Probing
Sparse but persistent authentication failures against a small set of high-value identities: Global Admins, executives, finance, domain admins, break-glass accounts. Attempts spread over days or weeks, often across protocols (Exchange Online, SharePoint, Azure portal) to map what is accessible without tripping locks.
Signals: RiskySignins, AADNonInteractiveUserSignInLogs, Microsoft Defender for Office 365 targeted user discovery, Defender for Identity reconnaissance alerts.
2. Cloud API Enumeration With Read-Only scopes
Bursts of Microsoft Graph and Azure Resource Manager calls that list rather than modify: GET /users, GET /groups, GET /servicePrincipals. Often via a newly consented enterprise app with seemingly harmless permissions like Directory. Read.All.
Signals: Entra ID AuditLogs for OAuth consent, new multi-tenant app registrations, unfamiliar service principals making Graph list calls, Sentinel UEBA "rare app" baselines.
3. Conditional Access & MFA Boundary Testing
Repeated sign-in attempts that stop before MFA, from a narrow IP set, against various device, location and client combinations to learn which policies bite. Few logins succeed, but the attempts map policy gaps.
Signals: Entra SignInLogs with status: interrupted, varied ClientAppUsed, toggling modern versus legacy authentication, device code flow trials.
4. DNS & Web Telemetry That Indicates Pre-Attack Mapping
High cardinality DNS requests for your brand and subdomains from a small resolver set, sometimes with one query per candidate name to avoid volume thresholds. Use of DNS over HTTPS to non-standard resolvers.
Signals: Defender for Endpoint network events, DNS logs showing many unique FQDN probes, JA3/JA4 TLS fingerprints that stay constant over weeks, domain fronting via CDNs.
5. Supply-Chain & Federation Touchpoints
Probing of B2B guest accounts, stale service principals or legacy SAML apps rather than front-door user accounts.
Signals: Entra B2B invite enumerations, unexpected TokenIssuanceStart for old SAML service principal names, Microsoft Defender for Identity alerts for LDAP enumeration without follow-on exploit.
6. Tradecraft Hygiene
Living-off-the-land tools and signed binaries for discovery. Clean infrastructure hygiene: cloud VPS ranges that rotate slowly, or compromised SOHO routers with stable JA3. User-Agents that mimic Outlook/Teams but with rare versions.
Signals: Microsoft Defender for Endpoint "rare process tree" baselines, Defender XDR Advanced Hunting anomalies on UserAgent, DeviceProcessEvents with LOLBINs like rundll32, net.exe, dsquery.
How This Contrasts with Opportunistic Attacks
Opportunistic attacks trade stealth for speed. High-volume password spray across many tenants, quick exploit of n-day edge CVEs, smash-and-grab exfiltration or crypto-mining minutes after initial access. Short dwell time, huge IP fan-out, clear commodity C2 beacons, mass mailbox rules or transport rules, web shells on internet-facing apps within hours.
Nation-state reconnaissance favours patience and precision. Expect read-only cloud discovery, policy mapping and identity graphing before any exploit.
The Business Impact You Present to Your Board
When you sit across from a CFO or board member, frame this as revenue protection, not IT risk.
Five Business Impacts That Matter
1. Revenue At Risk From Third-Party & Customer Scrutiny
Large customers assess suppliers on identity, MFA and logging. Evidence of reconnaissance on your tenant triggers extra assurance, delayed purchase orders or "high risk" flags in portals like CyberGRX or OneTrust. Typical effect for mid-market: slipped deals, stalled renewals, extra contract clauses and audit effort that hits quarterly numbers.
Board Lens: How many key accounts would pause if their risk team saw active reconnaissance against us next week?
2. Insurance Cost, Cover & Claim Friction
Carriers now require MFA everywhere, EDR on endpoints and privileged access controls. Gaps discovered post-incident drive higher excess, narrower cover or claim challenges. Nation-state style techniques (OAuth abuse, Conditional Access testing, read-only Graph enumeration) often reveal exactly those control gaps.
Board Lens: Are we insurable on our best terms if an assessor reviewed our tenant tomorrow?
3. Outage Duration & Recovery Cost
These actors map your environment first, so when something breaks (even an unrelated incident), your blast radius is larger and recovery slower because they already know your admin paths, backups and vendors.
Indicative Maths: If 500 staff average £95k fully loaded cost and 30% are materially impacted during a two-day disruption, that is approximately £78k internal productivity loss, excluding lost revenue, overtime and specialist incident response fees.
Board Lens: What is our realistic time-to-restore for identity and email if the lights flicker?
4. IP & Deal Intelligence Exposure
Read-only discovery often targets executive mailboxes, Teams sites and finance tooling. Even without encryption or wiping, draft bids, pricing models and M&A signals can leak, changing competitive outcomes.
Board Lens: Which executive mailboxes and finance systems would hurt us most if silently mirrored?
5. Regulatory & Audit Drag
For regulated sectors, signs of systematic reconnaissance without effective monitoring can trigger deeper supervisory questions and follow-up reviews.
Board Lens: Could we show an auditor high-fidelity logs and response actions for the last 90 days?
Election Tactics Migrating to Corporate Environments
AI-driven disinformation campaigns targeted 3.7 billion eligible voters across 72 countries in 2024. Between July 2023 and July 2024, 82 deepfakes targeting public figures surfaced in 38 countries.
The same playbook honed in elections is now aimed at companies. Election tactics are being reused inside enterprises: persona farms build trust, A/B-tested lures push staff to “safe” channels and synthetic executives close the deal on video or voice.
Seven Corporate Social Engineering Patterns Traced to Election Campaigns
1. Persona farms that "slow-cook" trust, then pivot to procurement or HR
Dozens of look-real LinkedIn, Twitter or Telegram personas engage staff for weeks, then move the conversation into email or Teams to request pricing, CVs or supplier setup tweaks. This mirrors coordinated inauthentic behaviour from election operations.
What To Watch in Microsoft 365: Unusual run-up of external meeting invites and Teams chats from newly created consumer identities, new guest accounts added by non-IT staff and reply-chain hijacks in mail.
2. A/B-tested lures and copy that iterate at speed
Phishing waves where subject lines, sender names and pretexts change every few hours, keeping the best-performing variant. This is lifted straight from influence campaigns that test narratives and framing.
What To Watch: Short-lived but frequent clusters of similar phishing with small textual changes, increasing click-through over a day.
3. "Authoritative voice" deepfakes to close the fraud
Synthetic CFO or CEO on a quick video or voice call to approve a transfer or change bank details.
What To Watch: Payment requests that jump channel after a chat or invite, urgent wire changes that follow a new external-domain contact and first-time video callers with no corporate meeting history.
4. Cross-platform narrative seeding that becomes “evidence” in email
Attackers seed claims or "receipts" on throwaway blogs and socials, then email employees links as proof to bypass scepticism. This mirrors election disinformation pipelines.
What To Watch: Inbound emails pointing to newly registered domains used as "source", then internal resharing.
5. Synthetic and stolen identities to win trust for Business Email Compromise
Clean-looking contractor profiles, AI-written CVs and domain-aligned email that warm leads for Business Email Compromise. AI now scales BEC and keeps losses high.
What To Watch: Supplier onboarding pushed by a new mailbox with perfect grammar but zero historical thread, invoice updates that reference recent genuine projects scraped from your website or social media.
6. "Safe channel" migration to bypass email controls
After one or two ignored emails, the actor steers the target to WhatsApp, Signal or a personal Gmail, exactly as election operations steer to channels they control.
What To Watch: Email threads that end with "let's switch to…", followed by unusual Teams guest invites and off-directory contacts.
7. Cheap synthetic media to dress the message
AI-generated headshots on supplier sites, AI-voiced IVRs for "bank verification", doctored screenshots used as "change approval".
What To Watch: Supplier domains with stock-style headshots that reverse-image to nothing, invoices attaching "approved" screenshots hosted on fresh domains.
Why Scaling Organisations are Exposed
Lots of long-lived secrets in runbooks and CI/CD, rarely rotated. Partner integrations to ERPs and supplier portals that default to broad permissions. Light ownership of "headless" apps. No one knows who controls a given service principal.
What It Will Look Like In Your Estate
-
Read-Only First: a newly consented enterprise app or existing service principal ramps up Graph or REST list calls for users, groups and app roles.
-
Quiet Persistence: Stable sign-ins by that app ID from one to three IPs in one ASN at regular off-hours.
-
Process Edits, Not Files: API calls to payment, supplier or HR endpoints that change data (bank account, approvers, delivery windows) with perfect authentication and no phish.
-
Partner Pivot: Your app ID is used against a customer's vendor API to request bank details or orders.
The Biggest Misconception
Read-only reconnaissance is not harmless.
When an attacker gains "just" directory read and app discovery in Microsoft Entra, they are already inside your business processes. That visibility lets them map who approves payments, which service principals can change bank details, which supplier APIs accept updates and where Conditional Access is weakest.
The next move does not need a phish or malware. It is a legitimate API call from a trusted app that quietly alters data and cash flow.
One-Page Test for Every Scaling Organisation
Can we list our top 10 service principals, their owners and last secret rotation date?
Is default user consent disabled and publisher verification required for apps?
Do we alert when a newly consented app performs read-heavy Graph calls, then touches finance or vendor endpoints within 24 hours?
If you can answer yes to those three today, you have defanged most "invisible" nation-state tradecraft that mid-market firms miss. If not, that is your shortest path to resilience without new spend.
How to Detect This With What You Already Own
You do not need a hunting team. You need Microsoft Entra, Microsoft Defender XDR and Microsoft Sentinel configured to surface four quiet behaviours that precede serious breaches.
Four high-signal detections
1. Rare app consent + directory reads
Catches benign-looking enterprise apps doing read-only Microsoft Graph enumeration.
2. Workload identity regularity
Flags service principal sign-ins from narrow ASN or IP ranges at repeatable off-hours with list-heavy API calls.
3. Conditional Access boundary testing
Surfaces interrupted sign-ins across diverse client types with few actual failures.
4. High-cardinality DNS probes
Finds resolvers querying many unique subdomains with low total volume.
Two-week “Recon Reality” pilot
In 10 working days, we light up these four detections using Microsoft Entra, Microsoft Defender XDR and Microsoft Sentinel, which you already own, show real findings and hand you a simple scorecard your board understands.
Success metrics we commit to:
-
Coverage: All four analytics are enabled with data flowing by Day 4.
-
Noise: Average alert volume ≤5 per day during pilot.
-
Detection: At least one of the following surfaced or confidently ruled out: new or rare app consent followed by Graph list calls, repeating off-hours service principal sign-ins from ≤3 IPs in one ASN, rising Conditional Access interruptions across multiple client types with low failure rate, ≥40 unique FQDNs per hour from a single resolver with total DNS <400.
-
Time To Evidence: Executive one-pager delivered by Day 10.
-
Minimal Roles & Effort: One IT admin for approvals and a security lead for two short reviews.
-
Estimated Effort: ≤8 hours total across two weeks.
What This Means for Your Business
Your biggest customers and insurers already price nation-state resilience into their decisions to buy from you, how quickly and at what margin.
Strong cyber readiness keeps deals moving, preserves favourable insurance terms and shortens outages that kill revenue. If a 500-person firm loses even one business day at 30% productivity impact, you can burn tens of thousands of pounds and slip a quarter.
Resilience is not a cost centre. It is how you protect pipeline, cash flow and valuation while you grow.
Leading Indicators You Can Track in 30 days
-
100% privileged roles behind phishing-resistant MFA and just-in-time access.
-
Default user consent disabled, legacy apps reviewed, risky service principals remediated.
-
Sentinel analytics live for rare app consent, Conditional Access boundary testing and high-cardinality DNS probes.
-
Mean time to detect suspicious Graph enumeration under 15 minutes.
Lagging Indicators in 90 days
-
Fewer questionnaire findings from top five customers.
-
Confirmed cyber policy conditions met, improved renewal terms.
-
Tabletop test shows identity restore in under four hours.
How CyberOne Delivers this
CyberOne's MXDR as a Service uses Microsoft Sentinel, Microsoft Defender XDR and Microsoft Entra to baseline "normal", surface the rare and link weak signals into strong leads. 24×7x365 Analysts, CREST and NCSC-assured processes and SLA-backed responses give you coverage without complexity.
We know which four indicators matter, we tune fast and we translate results into executive decisions, not just alerts.
To Recap
-
Prioritise High-Value Signals: Rare app consent, workload identity regularity, Conditional Access interrupts, DNS uniqueness.
-
Automate The Obvious: Use Microsoft Security tools you already own.
-
Measure: Time to detect and time to respond.
-
Get Support: Book a 30-minute call with us to get started.