Ontinue Report Shows Alarming Rise in MFA-Bypassing Attacks and Cloud Security Gaps

Ontinue has released its 1H 2025 Threat Intelligence Report, documenting a concerning escalation in cybersecurity threats with identity-based attacks and cloud persistence tactics taking center stage. The comprehensive analysis shows adversaries are increasingly bypassing multi-factor authentication protections and exploiting security blindspots that organizations have failed to address adequately.

The report highlights that ransomware remains highly disruptive despite a 35% year-over-year decrease in reported ransom payments, with more than 4,000 claimed ransomware breaches globally in the first half of 2025. However, the most significant trend involves sophisticated identity attacks targeting cloud environments, where nearly 40% of Azure intrusions investigated involved adversaries implementing multiple persistence methods simultaneously.

Token replay abuse emerged as a particularly effective attack vector, with approximately 20% of live incidents involving adversaries reusing stolen refresh tokens to bypass MFA protections even after password resets. This technique demonstrates how attackers are evolving beyond traditional credential theft to maintain persistent access to compromised systems.

Phishing tactics have also evolved significantly, with over 70% of attachments bypassing secure email gateways being non-traditional formats like SVG or IMG files rather than conventional Office documents. This shift indicates that attackers are successfully adapting to security controls by using less-monitored file types to deliver malicious payloads.

Perhaps most surprisingly, the report documents a 27% increase in USB-borne malware compared to late 2024, reinforcing the ongoing risk of removable media in enterprise environments. This resurgence of "back to basics" tactics coincides with findings from a 2024 Honeywell study showing that 51% of USB-based threats could cause major disruption in enterprise and industrial environments.

Third-party risk has doubled year-over-year, with nearly 30% of incidents linked to vendor compromise, including supply chain attacks targeting retailers and manufacturers. This trend underscores the expanding attack surface that organizations must manage as they increasingly rely on external partners and service providers.

Craig Jones, Chief Security Officer at Ontinue, emphasized that "cybercriminals are operating with the speed and adaptability of modern businesses. They pivot, rebrand, and retool in weeks, not months. Organizations can't afford to approach security as a static project, it's a continuous, intelligence-led process."

Balazs Greksza, Director of Threat Response at Ontinue, added that "the attackers we track are blending technical skill with human-focused tactics, leveraging trusted vendors, manipulating identities, and exploiting small configuration gaps that snowball into major incidents. The organizations that fare best are those that build resilience into every layer of their environment."

The full Ontinue 1H 2025 Threat Intelligence Report provides practical defensive recommendations, including implementing phishing-resistant MFA, hardening endpoint configurations, and establishing robust vendor risk management programs. The report emphasizes that organizations must integrate real-world threat intelligence into security testing to ensure defenses match current adversary techniques. Security professionals can access the complete analysis through the official report download page and explore additional threat analysis on the Ontinue blog.