Ontinue 1H 2025 Threat Intelligence Report Highlights Rise of MFA-Breaking Identity Attacks and Exploitation of Overlooked Gaps

Findings Show 70% of Phishing Attachments Used Non-Traditional Formats, USB Malware Rose 27%, and 40% of Azure Intrusions Involved Layered Persistence

REDWOOD CITY, Calif., Sept. 23, 2025 /PRNewswire/ — Ontinue, a leading provider of AI-powered managed extended detection and response (MXDR) services and winner of the 2023 Microsoft Security Services Innovator of the Year award, today announced the release of its 1H 2025 Threat Intelligence Report, offering an in-depth look at the most significant cybersecurity developments in the first half of the year. The findings highlight a sharp rise in MFA-bypassing identity attacks and exploitation of security blindspots. Within the report, the Advanced Threat Operations team analyzes ransomware activity, phishing-as-a-service (PhaaS) operations, infostealer malware, advanced persistent threats (APTs), and the growing role of third-party compromise in major breaches.

The findings reveal that while ransomware remains one of the most disruptive threats, adversaries are increasingly focused on identity-based attacks in the cloud, persistence in Azure environments, and even “back to basics” tactics like USB-delivered malware.

Key Findings in 1H 2025:

• Cloud persistence tactics surged. Nearly 40% of Azure intrusions investigated by Ontinue involved adversaries layering multiple persistence methods (application + automation job + role escalation). Median dwell time exceeded 21 days when attackers suppressed telemetry.
• Token replay abuse continues: Roughly 20% of live incidents involved adversaries reusing stolen refresh tokens to bypass MFA, even after password resets.
• Non-traditional phishing payloads dominated: Over 70% of attachments bypassing secure email gateways were formats like SVG or IMG, not traditional Office documents.
• USB malware resurfaces: Ontinue observed a 27% increase in USB-borne malware compared to late 2024, reinforcing the ongoing risk of removable media. A 2024 Honeywell study showed 51% of USB-based threats could cause major disruption in enterprise and industrial environments.
• Third-party risk doubled YoY: Nearly 30% of incidents were linked to vendor compromise, including supply chain attacks targeting retailers and manufacturers.
• Ransomware remains active: Despite a 35% YoY drop in reported ransom payments, there were more than 4,000 claimed ransomware breaches globally in H1 2025, led by CL0P, AKIRA, and QILIN.

“Cybercriminals are operating with the speed and adaptability of modern businesses. They pivot, rebrand, and retool in weeks, not months,” said Craig Jones, Chief Security Officer at Ontinue. “In the first half of 2025, we’ve seen ransomware operators overcome takedowns, PhaaS services scale globally, and state-aligned actors target the private sector with increasing precision. Organisations can’t afford to approach security as a static project, it’s a continuous, intelligence-led process.”

“The attackers we track are blending technical skill with human-focused tactics, leveraging trusted vendors, manipulating identities, and exploiting small configuration gaps that snowball into major incidents,” commented Balazs Greksza, Director of Threat Response at Ontinue. “The organizations that fare best are those that build resilience into every layer of their environment, from identity controls to incident response.”

The Ontinue 1H 2025 Threat Intelligence Report also outlines practical defensive measures, including phishing-resistant MFA, hardened endpoint configurations, and robust vendor risk management. It emphasizes integrating real-world threat intelligence into security testing to ensure that defenses match current adversary techniques. The findings emphasize that organizations cannot rely solely on simulated testing or isolated defenses. Closing the gap between red team exercises and real-world adversary behavior is essential, particularly in cloud environments where persistence and evasion tactics are rapidly evolving. At the same time, security fundamentals like restricting USB usage, hardening configurations, and reinforcing user training remain critical.

The full report is available for download here.

Related Resources:

• Read Ontinue’s full 1H 2025 Threat Intelligence Report.
• Explore the Ontinue blog for deeper dives into ransomware, identity-based attacks, and USB malware trends.
• Learn more about how Ontinue helps organizations operationalize threat intelligence through its AI-powered ION MXDR service.

About Ontinue
Ontinue is a leading provider of AI-powered managed extended detection and response (MXDR) services, empowering modern organizations to securely embrace their digital future. We’re on a mission to redefine managed security operations with Nonstop SecOps, a 24/7 approach that delivers continuous protection through trust and innovation.

Ontinue ION leverages an AI-powered platform, human expertise, and our customers’ Microsoft tools to deliver tailored protection that conforms to each environment and operation. The result is fast threat detection and response, and continuous security posture hardening.

Continuous Trust. Continuous Innovation. Continuous Empowerment.

That’s Nonstop SecOps from Ontinue.

Ontinue PR Contacts:
Alison Raymond
[email protected]

ICR:
Nathaniel Hawthorne
[email protected]

View original content to download multimedia:https://www.prnewswire.com/news-releases/ontinue-1h-2025-threat-intelligence-report-highlights-rise-of-mfa-breaking-identity-attacks-and-exploitation-of-overlooked-gaps-302563653.html

SOURCE Ontinue