As AI and digital technologies advance, the European cyber threat landscape continues to evolve, presenting new challenges that require stronger partnerships and enhanced solutions. Ransomware groups and state-sponsored actors from Russia, China, Iran, and North Korea continue to grow in scope and sophistication, and European cyber protection cannot afford to stand still.
That is why, today, in Berlin, we are announcing a new Microsoft initiative to expand our longstanding work to help defend Europe’s cybersecurity. Implementing one of the five European Digital Commitments I shared in Brussels five weeks ago, we are launching a new European Security Program that adds to the company’s longstanding global Government Security Program.
This new program expands the geographic reach of our existing work and adds new elements that will become critical to Europe’s protection. It puts AI at the center of our work as a tool to protect traditional cybersecurity needs and strengthens our protection of digital and AI infrastructure.
We are launching the European Security Program with three new elements:
Increasing AI-based threat intelligence sharing with European governments;
Making additional investments to strengthen cybersecurity capacity and resilience; and
Expanding our partnerships to disrupt cyberattacks and dismantle the networks cybercriminals use.
We are making this program available to European governments, free of charge, including all 27 European Union (EU) member states, as well as EU accession countries, members of the European Free Trade Association (EFTA), the UK, Monaco, and the Vatican.
Together, these efforts reflect Microsoft’s long-term commitment to defending Europe’s digital ecosystem—ensuring that, no matter how the threat landscape evolves, we will remain a trusted and steadfast partner to Europe in securing its digital future.
The need for new steps – the current threat environment
Microsoft continues to observe persistent threat activity targeting European networks from nation state actors, with Russian and Chinese activity being particularly prolific in Europe. Unsurprisingly, Russia continues to be especially focused on targets in Ukraine and European nations providing support to Ukraine. Nation-state actors, including those engaging in malicious activity from Iran and North Korea, are predominantly pursuing espionage objectives in Europe through credential theft or the exploitation of vulnerabilities to gain access to corporate and government networks. Several campaigns, including those from China, have also targeted academic institutions, compromising accounts to access sensitive research data or conduct geopolitical espionage against think tanks. Cybercriminals continue to develop Ransomware-as-a-Service beyond nation-state threats. We have seen the emergence of illicit websites rapidly gaining followings by leaking ransomware insights to be used by criminal groups to conduct attacks across Europe.
The rise of AI is also augmenting and evolving threat actor behavior. Microsoft has observed AI use by threat actors for reconnaissance, vulnerability research, translation, LLM-refined operational command techniques, resource development, scripting techniques, detection evasion, social engineering, and brute force attacks. This is why Microsoft now tracks any malicious use of new AI models we release and proactively prevents known threat actors from using our AI products. This also underscores the importance of secure development and rigorous testing of AI models, leveraging AI to benefit cyber defenders, and close public-private partnerships to share the latest insights about AI and cybersecurity.
Increasing AI-based threat intelligence sharing with governments
Microsoft’s Government Security Program (GSP) has long provided governments with confidential security information and resources to help them better understand our products and the evolving threat landscape, particularly threats from nation-state actors. Building on existing efforts, our new European Security Program will increase the flow and expand access to actionable threat intelligence to European governments. Tailored to discrete national threat environments using AI insights, and delivered, when possible, in real time, this program is designed to help governments stay ahead of advancing cyber threats through:
Leveraging threat intelligence insights – Microsoft tracks the most sophisticated nation-state cyber activity, offering timely insights into evolving global threats. We use AI to support our analysis, which has improved our visibility and accelerated our ability to share the latest intelligence on the tactics, techniques, and procedures used by advanced persistent threat actors, including the malicious use of AI. By providing more information and faster, Microsoft will help European governments strengthen their cyber resilience and enable proactive defense.
Expanding cybercrime reporting – The Microsoft Digital Crimes Unit (DCU) plays a critical role in detecting and disrupting global cybercriminal infrastructure, generating invaluable real-time intelligence in the process. As part of this new effort, we are expanding the availability of this intelligence to trusted European partners to support rapid response and coordinated enforcement action through the Cybercrime Threat Intelligence Program (CTIP).
Providing foreign influence operations updates – The Microsoft Threat Analysis Center (MTAC) continues to monitor influence operations in Europe, which are increasingly using AI to mislead and deceive with deepfake synthetic media. MTAC also uses AI to look for commonalities across operations and will provide regular intelligence briefings on foreign influence, offering timely insights into the tactics, narratives, and digital platforms leveraged by state-affiliated actors. These briefings help policymakers and security stakeholders stay ahead of evolving disinformation campaigns and hybrid threats targeting democratic institutions and public trust.
Identifying vulnerabilities and prioritizing security communications – Microsoft is committed to proactive and transparent security communications, particularly in the face of emerging threats and evolving vulnerabilities. We provide customers with timely, actionable intelligence through structured programs such as the Threat Microsoft Security Update Guide, Vulnerability Reporting process, and Microsoft Defender Vulnerability Management. As part of this expanded commitment, we will offer prioritized notice of security communications, including vulnerability remediation guidance to our European Security Program partners, helping to enhance situational awareness and enabling faster responses.
Participating governments will have a dedicated Microsoft point of contact to coordinate responses and escalate concerns. These efforts are designed to improve situational awareness and to support faster, more coordinated action across borders.
Making additional investments to strengthen cybersecurity capacity and resilience
Digital resilience—the ability to anticipate, withstand, recover from, and adapt to cyber threats and disruptions—requires more than technology. It requires investment in people, institutions, and partnerships. As part of the European Security Program, we are investing additional resources to further our work with European governments, civil society, and innovators to strengthen local capabilities and build long-term resilience. Highlights include:
Strengthening public-private collaboration – Microsoft has launched a new pilot program with Europol’s European Cybercrime Centre (EC3), embedding Microsoft Digital Crimes Unit (DCU) investigators at EC3 headquarters in The Hague to enhance intelligence sharing and operational coordination. Through this enhanced collaboration, we will enable joint investigations, identify faster threat identification, and be better positioned to disrupt cybercriminal activity targeting European institutions and citizens more effectively.
Supporting civil society and defending against ransomware – Microsoft has renewed our three-year partnership with the CyberPeace Institute to support NGOs and to promote accountability for bad actors, including nearly 100 Microsoft employees volunteering their time and expertise to help defend the most vulnerable in cyberspace. We will continue to support the Institute’s efforts to trace ransomware origins, identify safe havens, and uncover potential links to nation-state actors.
Expanding cybersecurity support to the Western Balkans – Through a new collaboration with the Western Balkans Cyber Capacity Centre (WB3C), Microsoft will scale cybersecurity in a region where malicious actors have long sought to destabilize countries bordering the EU. Microsoft stands firmly in defense of Ukraine and is now extending that commitment with WB3C to help scale cybersecurity capabilities in a geopolitically sensitive and digitally under-resourced region, aligning with broader European cybersecurity priorities.
Advancing AI security and innovation – Microsoft is investing additional resources to support research, expand the cybersecurity talent pipeline, and test advanced AI-assisted security tools in real-world environments using Microsoft’s security stack and Azure and Copilot capabilities. We’re working with the UK’s Laboratory for AI Security Research (LASR), a public-private partnership established to advance AI security in support of UK’s national security and economic prosperity. Together, we’re launching a joint research program focused on AI-cybersecurity challenges with a focus on critical infrastructure and agentic AI security, with an initial investment from Microsoft and research-collaboration between LASR and Microsoft Security Research Center.
Securing open-source innovation – Through the recently launched GitHub Secure Open Source Fund, we will support open-source projects that underpin the digital supply chain, catalyze innovation, and are critical to the AI stack. By raising the security posture for European projects such as Log4J and Scancode, which are critical to the IT systems of governments and companies across the continent, the program aims to reduce future security vulnerabilities. Ensuring these tools can continuously withstand and sustainably defend against sophisticated cyber threats is essential to strengthening cyber resilience.
These new and enhanced initiatives reflect our belief that cybersecurity is a collective endeavor—and that Europe’s digital resilience must be built from the ground up.
Expanding partnerships to disrupt cyberattacks and dismantle cybercriminal networks
Finally, as part of our European Security Program we are expanding our partnerships with law enforcement and regional actors to proactively identify new and innovative ways to disrupt malicious and criminal activity.
For instance, last month, Microsoft’s Digital Crimes Unit (DCU) worked with Europol and others to take down Lumma, a prolific infostealer malware used to steal passwords, financial data, and crypto wallets. In just two months, Lumma infected nearly 400,000 devices globally, many of them in Europe. The operation seized or blocked over 2,300 command-and-control domains. Off the back of this action, we are working with Europol to identify new opportunities to continue to meaningfully disrupt and deter cybercrime.
Lumma-infected devices by country in Europe
To accelerate future takedowns, we also launched the Statutory Automated Disruption (SAD) Program in April 2025. This initiative automates legal abuse notifications to hosting providers, enabling faster removal of malicious domains and IP addresses. Focused initially on Europe and the U.S., SAD raises the cost of doing business for cybercriminals and makes it harder for them to operate at scale.
In addition, we’re working with local internet service providers to help remediate affected users and ensure governments have greater visibility into emerging threats.
The DCU has long played a leading role in proactively combating cyber threats, including those originating from nation-state actors. Since 2016, Microsoft has filed seven legal actions to spotlight and disrupt nation-state threat actors from countries such as Russia, China, Iran, and North Korea, which we refer to internally by the weather-themed names Blizzard, Typhoon, Sandstorm, and Sleet, respectively. Most recently, in September 2024, Microsoft initiated a disruption action against the Russian actor Star Blizzard, mentioned above, known for hacking political targets surrounding UK’s 2022 elections and targeting NATO countries to advance its geopolitical interests involving Ukraine. Microsoft exposed the Russian actors and directly seized over 140 malicious domains in total, substantially blunting ongoing campaigns and forcing Star Blizzard to significantly alter its attack methods to other platforms, which Microsoft Threat Intelligence thereafter publicly exposed in a security blog. We will continue to act against those seeking to harm customers, governments, and individual users. These efforts are part of our broader strategy to partner with law enforcement across Europe. We are already working on coordinated disruptions to protect the digital ecosystem, and we stand ready to provide robust incident response services during crises, ensuring our partners and customers are never alone in the face of cyber adversity.
We also believe that deterrence is a critical pillar of modern cybersecurity. The EU’s Cyber Diplomacy Toolbox plays a vital role in this effort, helping to coordinate crisis response and send a clear message that malicious activity will not go unanswered—legally, operationally, or reputationally.
Taken together, operations like the Lumma disruption, the launch of SAD, and future coordinated disruptions are helping to prevent cybercriminals and state actors from establishing malicious infrastructure in Europe.
* * *
At Microsoft, our commitment to Europe is deep, enduring, and unwavering. We believe that Europe’s digital future is one of the most important opportunities of our time—and protecting that future is a responsibility we share. We will stand shoulder to shoulder with European governments, institutions, and communities to defend against threats, build capacity, and strengthen resilience. We are proud to be a trusted partner to Europe, and we will continue to work every day to earn trust through transparency, collaboration, and a steadfast commitment to protecting what matters most.
GIPHY App Key not set. Please check settings