Digital Crimes Unit: Leading the fight against cybercrime

Cybercrime is globally disruptive and economically damaging, causing trillions of dollars in financial losses and operational impacts to individual and business victims. It threatens national security and diminishes trust in the digital economy and the Internet.

Microsoft’s Digital Crimes Unit (DCU) is an international team of technical, legal and business experts that has been fighting cybercrime to protect victims since 2008. We use our expertise and unique view into online criminal networks to uncover evidence so that we can make criminal referrals to appropriate law enforcement throughout the world. In addition to the threat of arrest and prosecution, cybercrime can be deterred by quickly and meaningfully disrupting the operational infrastructure used by cybercriminals, through civil legal actions or technical measures. Disruptions reduce  a cybercriminal or nation-state actor’s ability to engage in nefarious activity and force them to reckon with their lost investments.

No single entity can fight cybercrime effectively. The DCU has developed deep relationships with local and global law enforcement, security firms, researchers, NGOs and customers to drive scale and impact in fighting cybercrime.

In addition to the DCU’s efforts to disrupt and deter cybercrime itself, we share evidence from our investigations to assist with victim remediation, support education campaigns, and allow for the development of technical countermeasures that strengthen the security and safety of Microsoft’s products and services. We also use our voice and expertise to inform cybercrime legislation and global cooperation that advances the fight against cybercrime.

Our Areas of Focus

Business Email Compromise

Business Email Compromise (BEC) is a type of cybercrime that involves the unlawful use of business email account credentials to facilitate email fraud against a targeted organization.

BEC is one of the most prolific and costly cybercrime attacks in the world today. According to a 2020 FBI report, BEC attacks were responsible for $1.8B in losses and represent more than 40% of all cybercrime losses. The DCU is fighting BEC crime by identifying, mapping, and disrupting the technical malicious infrastructure used by cybercriminals to launch attacks. In 2020, the DCU secured court orders to block malicious web applications targeting business organizations, directed the removal of 744,980 phishing URLs and recovered 6,633 phish kits, resulting in the closure of 3,546 malicious email accounts used to collect stolen customer credentials obtained through successful phishing attacks.


Cybercriminals, and more recently nation-state actors, have long relied on botnets to dramatically scale their reach through infected computers while maintaining their anonymity. For over a decade the DCU has focused on identifying, investigating, and ultimately disrupting these actors’ ability to conduct their criminal activities by targeting their malware’s distribution and communications infrastructure.

The DCU has disrupted the infrastructure of 23 malware families or nation-state actors, stopping them from  distributing additional malware, controlling victims’ computers or targeting new victims. In partnership with governments and Internet Service Providers, the DCU has identified and helped to remediate more than 500 million victim computers over the course of the last decade while simultaneously using the information learned to enhance Microsoft’s products and services to protect customers from such threats.


Ransomware is a high profit, low-cost business. In 2020 we saw a transition from automatically spreading  ransomware like NotPetya or WannaCry to human-operated targeted attacks where adversaries deliberately target critical assets with an interest in extracting significantly higher ransoms from their victims. Microsoft is in a unique position to reduce the profitability of this crime while increasing the cost of entry. We do this through strong security controls in our products and services that enable customers to detect and respond to ransomware, as well as through the efforts of the DCU in applying creative legal and technical solutions to investigate and disrupt the criminal infrastructure behind ransomware, focusing on payment distribution systems and the manipulation of the crypto economy.

Tech Support Fraud

According to a 2018 Microsoft global online survey, 3 out of 5 people globally have experienced a tech support scam. Scammers convince victims to provide access to their devices by impersonating reputable technology companies such as Apple, Google and Microsoft.

The DCU leverages both data analytics and direct customer complaints to investigate criminal networks engaged in tech support fraud. We take legal action and refer cases to law enforcement and payment processors to disrupt and deter payments on fraudulent transactions. We apply what is learned to educate consumers and strengthen our products and services.

Online Child Exploitation

In 2009, Microsoft partnered with Dartmouth college to develop the hash matching technology known as PhotoDNA. This hashing and matching process makes it possible to effectively detect and disrupt known illegal images of child sexual exploitation that may be uploaded to an application or online platform daily. Microsoft equips technology companies and others with PhotoDNA to help detect, disrupt, and report the distribution of known child sexual abuse images and videos. Over 150 organizations across the globe are using PhotoDNA today.

PhotoDNA technology resulted in 16.9 million CyberTips to the National Center for Missing & Exploited Children (NCMEC) in 2019 alone. The DCU uses advanced analytics and investigations to identify high-risk, prolific and repeat offenders of Child Sexual Exploitation and Abuse Imagery (CSEAI) flagged by PhotoDNA on its services and provides additional information to NCMEC to keep out repeat offenders and protect children. Microsoft continues to innovate to combat online child exploitation including developing PhotoDNA in the cloud and applying PhotoDNA to video to continue to protect vulnerable populations and children.

Business Operations Integrity

Business Operations Integrity focuses on protecting Microsoft’s software supply chain, and cloud ecosystem. The DCU uses data analytics, machine learning, and direct customer and partner intelligence to identify large scale distributors and resellers of illicit Microsoft product keys and credentials. We partner with Microsoft Sales and Marketing teams to educate customers on the risks associated with illicit software use, and work with product and program engineering to minimize the levels of illicit Microsoft product keys and credentials available in the market. Where necessary, the DCU executes strategic civil enforcement against those companies that threaten Microsoft’s supply chain integrity, displace our legitimate partners, and ultimately erode customer trust.

Technological Advances: Machine Learning

The DCU uses machine learning clustering techniques to assist in our analysis, tracking, and investigation work to spot patterns and more accurately detect and learn from criminal activities online. With these tools, we have been able to develop new and more efficient ways of identifying the most prolific criminal networks to target for our investigations, disrupting criminal infrastructure at scale, and partnering with our engineering teams to improve the security of our products and services.

Note: This page was first published on April 30, 2020 and updated on April 15, 2021.