In a blog post promoting the capabilities of its commercial security platform — the Microsoft Defender ATP — Microsoft said that on a daily basis the company’s security team detects and tracks on average around 77,000 active web shells, spread across 46,000 infected servers. From a report: But while the Microsoft blog post goes on to promote Defender ATP’s industry-recognized detection capabilities, the nugget in Microsoft’s recent marketing material is the 77,000 and 46,000 daily statistics. These two numbers are staggering in terms of size, and especially the 77,000 figure, which is far far larger than any previous reports about web shell prevalence. For example, earlier this month GoDaddy’s Sucuri reported on cleaning around 3,600 web shells from hacked websites during all last year, in 2019, a number dwarfed by Microsoft’s daily detection count. Microsoft’s numbers highlight the prevalence of these tools in the today’s hackers’ arsenals — where web shells are considered a must for every threat actor, from lowly hacktivist groups defacing websites to state-sponsored cyber-espionage groups.