Digital Crimes Unit: Leading the fight against cybercrime

Cybercrime is globally disruptive and economically damaging, causing trillions of dollars in financial losses impacting both individual and business victims, while threatening national security and diminishing trust in the digital economy and the Internet.

Microsoft’s Digital Crimes Unit (DCU) is an international team of technical, legal and business experts that has been fighting cybercrime, protecting individuals and organizations, and safeguarding the integrity of Microsoft services since 2008. Our expertise and unique insights into online criminal networks enable us to uncover evidence used in our criminal referrals to law enforcement. The DCU also works to increase the operational cost of cybercrime by disrupting the infrastructure used by cybercriminals through civil legal actions and technical measures.

No single entity can fight cybercrime alone; the DCU has developed deep relationships with security teams across Microsoft, and with law enforcement, security firms, researchers, NGOs and customers to increase both our scale and impact when fighting cybercrime.

The DCU also shares insights to assist with victim remediation, support education campaigns and allow for the development of technical countermeasures that strengthen the security and safety of Microsoft’s products and services. We also use our voice and expertise to inform cybercrime legislation and advocate for public-private partnerships that accelerate cross-border cooperation to combat cybercrime.

Our Areas of Focus

Business Email Compromise

Business Email Compromise (BEC) occurs when business email account credentials are unlawfully used to compromise accounts and facilitate email fraud against targeted organizations and individuals.

BEC is one of the most prolific and costly forms of cybercrime in the world today. According to a 2021 FBI report, BEC attacks resulted in $2.4B in losses and represented almost 35% of all losses due to cybercrime. The DCU utilizes cutting-edge legal and technical strategies to fight BEC crime, enabling us to identify, map and disrupt the complex infrastructure used to launch BEC attacks. In 2021 the DCU secured court orders to block malicious homoglyph domains targeting and impersonating customers. The DCU also directed the removal of more than 596,000 unique phishing URLs and 7,700 phish kits, which led to the identification and closure of over 2,200 malicious email accounts used to collect stolen customer credentials.


Cybercriminals and nation-state actors rely on botnets – networks of malware-infected computers controlled by cybercriminals – to dramatically, and anonymously, scale their reach. For over a decade the DCU has identified, investigated, and disrupted these actors’ ability to conduct their criminal activities by targeting their distribution and communications infrastructure.

To date the DCU has disrupted the infrastructure of 25 botnets or nation-state actors, preventing them from distributing additional malware, controlling victims’ computers, and targeting additional victims. In partnership with governments and Internet Service Providers, the DCU has identified and shared information to remediate approximately 500 million victims worldwide while using the intelligence gained in these operations to better secure Microsoft’s products and services against these cyber threats.


Ransomware is a high-profit, low-cost business that has increased dramatically worldwide over the last several years. In 2020 cybercriminals transitioned from automatically spreading ransomware like NotPetya or WannaCry to human-operated targeted attacks where adversaries deliberately target critical assets with an interest in extracting significantly higher ransoms from their victims. Microsoft is in a unique position to reduce the profitability of this crime while increasing the cost of entry. The DCU has invested in technical and legal resources to address making ransomware less profitable and more difficult to deploy by disrupting infrastructure and payment systems that enable ransomware attacks, and by preventing the use of Microsoft products and services to attack our customers.

Tech Support Fraud

According to a 2021 Microsoft global online survey, approximately 3 out of 5 people globally have encountered a tech support scam. Scammers convince victims to provide access to their devices by impersonating reputable technology companies such as Apple, Google and Microsoft.

The DCU leverages data analytics and direct customer complaints to investigate criminal networks engaged in tech support fraud and to refer them to law enforcement. The DCU also works to disrupt the flow of money to the scammers by providing financial institutions and payment processors with information relating to the scammers’ fraudulent transactions, and to educate the public on avoiding these scams.

Malicious Use of Azure

Cybercriminals sometimes launch attacks directly from Microsoft’s network using the power of our Azure Cloud Services to target legitimate Microsoft customers, global business and governments. The DCU works to identify and investigate cybercriminals maliciously using Azure to launch these cybercrime attacks.

With the threat landscape constantly evolving, the DCU partners with security teams across the company to identify and disable cybercriminals hosting malicious technical infrastructure used in BEC, tech support fraud, malware distribution and ransomware attacks.

In addition to enforcement actions, the DCU’s disruption of cybercriminal networks using Azure provides insights that strengthen Azure security, protect customer cloud capacity and help support our Azure team to deliver a world-class customer experience.

Technological Advances: Machine Learning

Over the course of our investigations, the DCU has amassed a significant amount of data, and the challenge is how to analyze and use this intelligence to protect our customers. During the course of our daily work, we use machine learning clustering techniques to assist in our analysis, identifying patterns to more accurately detect and learn from criminal activities online. With these tools, we have been able to develop new and more efficient ways of identifying the most prolific criminal networks to target for investigation, disrupting criminal infrastructure at scale and partnering with our engineering teams to improve the security of our products and services.

Payment Disruption

According to Cybersecurity Ventures, the annual cost of cybercrime globally is expected to reach $10.5 trillion by 2025 as the world witnesses a surge in hacking activities by hostile nation-state sponsored and organized crime groups. To combat this alarming trend, the DCU is building a comprehensive payment disruption strategy in partnership with public and private sector stakeholders including banks, payment processing providers, crypto exchanges and law enforcement. Our goal is to stop the money flow from victims to cybercriminals and to prevent cybercriminals from collecting and enjoying the proceeds of their crimes.
SOURCE: Cybersecurity Ventures

Note: This page was first published on April 30, 2020 and updated on May 3, 2022.