Ontinue Report Shows Sharp Increase in MFA-Bypassing Attacks and Cloud Security Vulnerabilities

The latest threat intelligence report from Ontinue reveals a concerning escalation in cybersecurity threats during the first half of 2025, with identity-based attacks and cloud security vulnerabilities emerging as primary concerns. The comprehensive analysis shows adversaries are increasingly bypassing multi-factor authentication (MFA) protections and exploiting unaddressed security gaps in enterprise environments. The findings indicate that while ransomware remains disruptive, attackers have shifted focus toward more sophisticated identity compromise techniques.

Cloud persistence tactics saw significant growth, with nearly 40% of Azure intrusions involving adversaries implementing multiple persistence methods simultaneously. These sophisticated attacks combined application manipulation, automation job exploitation, and role escalation techniques to maintain long-term access. When attackers successfully suppressed telemetry, the median dwell time exceeded 21 days, allowing extensive reconnaissance and data exfiltration. The report emphasizes that traditional security measures are insufficient against these layered persistence approaches.

Token replay abuse continues to pose serious threats, with approximately 20% of live incidents involving adversaries reusing stolen refresh tokens to bypass MFA protections. This technique remains effective even after organizations implement password resets, highlighting fundamental weaknesses in current identity protection frameworks. The persistence of this attack vector demonstrates that organizations need more robust authentication mechanisms beyond conventional MFA implementations.

Phishing attacks have evolved significantly, with non-traditional payloads now dominating the threat landscape. Over 70% of attachments bypassing secure email gateways utilized formats like SVG or IMG rather than traditional Office documents. This shift reflects attackers' adaptation to improved security controls and their ability to exploit less-monitored file types. The trend underscores the need for more comprehensive email security solutions that can detect threats across diverse file formats.

Perhaps surprisingly, USB malware has resurfaced as a significant threat vector, with Ontinue observing a 27% increase in USB-borne malware compared to late 2024. This resurgence reinforces the ongoing risk posed by removable media in enterprise environments. A 2024 Honeywell study indicated that 51% of USB-based threats could cause major disruption in enterprise and industrial environments, highlighting the continued importance of physical security controls.

Third-party risk has doubled year-over-year, with nearly 30% of incidents linked to vendor compromise. Supply chain attacks targeting retailers and manufacturers have become increasingly common, demonstrating how attackers are exploiting trust relationships between organizations and their service providers. This trend emphasizes the critical need for robust vendor risk management programs and comprehensive third-party security assessments.

Despite a 35% year-over-year drop in reported ransom payments, ransomware remains highly active with more than 4,000 claimed breaches globally in the first half of 2025. Groups including CL0P, AKIRA, and QILIN continue to target organizations across sectors, though their tactics have evolved to include more sophisticated initial access methods. The decrease in payments may reflect improved organizational resilience and better incident response capabilities rather than reduced threat activity.

Craig Jones, Chief Security Officer at Ontinue, noted that cybercriminals are operating with the speed and adaptability of modern businesses, pivoting and retooling their tactics in weeks rather than months. The report emphasizes that organizations cannot approach security as a static project but must implement continuous, intelligence-led processes. Balazs Greksza, Director of Threat Response at Ontinue, added that attackers are blending technical skill with human-focused tactics, leveraging trusted vendors and manipulating identities to exploit small configuration gaps that escalate into major incidents.

The full Ontinue 1H 2025 Threat Intelligence Report outlines practical defensive measures including phishing-resistant MFA, hardened endpoint configurations, and robust vendor risk management. It stresses the importance of integrating real-world threat intelligence into security testing to ensure defenses match current adversary techniques. The findings demonstrate that closing the gap between simulated testing and actual adversary behavior is essential, particularly in cloud environments where persistence and evasion tactics are rapidly evolving.