Ontinue, a leading provider of AI-powered managed extended detection and response (MXDR) services, released its 1H 2025 Threat Intelligence Report, detailing significant cybersecurity developments. The report highlights a sharp rise in MFA-bypassing identity attacks and exploitation of security blindspots, with adversaries increasingly focusing on cloud persistence and identity-based attacks.
Key findings include a surge in cloud persistence tactics, with nearly 40% of Azure intrusions involving multiple persistence methods and a median dwell time exceeding 21 days when telemetry was suppressed. Token replay abuse continues, with roughly 20% of incidents involving adversaries reusing stolen refresh tokens to bypass MFA even after password resets. Non-traditional phishing payloads dominated, with over 70% of attachments bypassing secure email gateways being formats like SVG or IMG. USB-borne malware saw a 27% increase compared to late 2024, reinforcing the risk of removable media. Third-party risk doubled year-over-year, with nearly 30% of incidents linked to vendor compromise. Ransomware remains active, with over 4,000 claimed breaches globally in H1 2025.
Craig Jones, Chief Security Officer at Ontinue, noted that cybercriminals operate with speed and adaptability, pivoting and retooling in weeks. Balazs Greksza, Director of Threat Response, emphasized that attackers blend technical skill with human-focused tactics, exploiting small configuration gaps. The report recommends phishing-resistant MFA, hardened endpoint configurations, and robust vendor risk management, stressing the importance of integrating real-world threat intelligence into security testing.
For more details, the full report is available for download here, and additional insights can be found on the Ontinue blog.


