Cloud-based security service provider Ontinue recently published the 1H 2025 Threat Intelligence Report, which explores the most common cyber risks from the first half of the year. The major findings include threat actors increasingly focusing on token replay, persistence in Azure environments, unconventional formats for malicious attachments, a resurgence in malicious USBs, and third-party compromise.
Attacks are increasingly valuing reliability over novelty, depending on tried-and-true methods while shifting tactics to account for modern trends. The report shows that multi-factor authentication (MFA) alone is not a moat that can effectively protect against these threats.
Method and Scope
Ontinue analyzed threat data from 1H 2025 using live incidents observed via the platform’s managed detection and response (MDR) and managed extended detection and response (MXDR) operations. While this is a significant amount of data, it is prudent to note that it is not necessarily representative of the threats facing all systems. Many enterprises share a Microsoft-centric cloud lens that may skew the data toward those systems.
MFA Isn’t Broken—Your Tokens Are
According to the report, around 20% of incidents used refresh-token replay to bypass MFA, enabling threat persistence even after password resets. Token replay works by intercepting and capturing bearer tokens and reusing them to steal and replay sessions.
This has startling implications for defense, including conditional access gaps, incomplete token revocation, and a lack of continuous session monitoring. It is important for organizations to consult expert guidance on token theft trends and mitigating token theft attacks like this, such as by implementing zero-trust principles and utilizing effective monitoring and training measures.
Quiet in the Cloud: Layered Azure Persistence
The Ontinue report states that nearly 40% of Azure intrusions involved stacked persistence involving multiple layers such as app registrations, automation jobs, and role escalation. These threats notably dwell longer when telemetry is suppressed, emphasizing the importance of enabling thorough telemetry in corporate environments.
Operationally, this can involve actions like scheduled tasks being run and hidden roles being created. Red-team exercises often underplay these techniques due to their reliance on limited windows of time and slow operations, hindering their ability to detect persistent threat presences. Ontinue’s research sees these tactics in the wild playing out and identifies them as a significant threat.
Phishing Pivots: The Rise of SVG/IMG Lures
Phishing is still a tried-and-true threat tactic that attackers are not likely to move away from anytime soon, but they are constantly shifting and advancing their methods to increase success and take advantage of trends. Ontinue reports that more than 70% of phishing attachments that were able to bypass secure email gateways were non-traditional formats like SVG and IMG, rather than Office files or traditional malware.
These formats evade email filters with tactics like embedded scripts and redirects, as well as attacker-in-the-middle (AitM) kits harvesting credentials and tokens. They also often get through human defenses by using malicious files that look different from what users are taught to look for to identify phishing attempts. In order to protect against these attacks, it is vital to update defenses by retraining both email filters and human users to detect and respond to non-Office phishing lures.
Back to Basics: USB is Back
Another interesting trend noted in the report is a 27% increase in USB-borne malware vs. late 2024 in Ontinue’s dataset. According to Honeywell’s 2024 USB Threat Report, 82% of detected USB malware has the potential to cause major disruptions, including “loss of view or loss of control to industrial control operators.” This positions USB threats as a significant risk to modern environments.
To mitigate the risks associated with malicious USB attacks, it is important to prioritize policy over polish, emphasizing security rather than relying on the convenience of unbounded use of USB drives for important business operations. This requires restricting and monitoring removable media usage and implementing safe-media workflows for OT and ICS environments.
Third-Party Ignition Points
The growing prevalence of deeply interconnected supply chain systems has also led to a rise in third-party risks. Ontinue cites that about 30% of incidents analyzed for the report are linked to vendor compromise or supply chain vulnerabilities. Relationships between the many links in the supply chain often lead to situations where security governance and responsibility is up in the air, and it is difficult for organizations to ensure secure connections with all third parties.
Security controls often fail through over-permissioned integrations, weak offboarding, and insufficient continuous vendor oversight. Mistakes like these allow for third-party risks to persist and enable deep access to sensitive systems. Practical measures against these risks include least-privilege integrations, scoped tokens, and access reviews to reduce unnecessary and overextended access, and joint incident response playbooks to deal with third-party risks when they arise.
Ransomware as an Outcome
Ransomware remains a long-term threat, but bad actors are evolving their tactics to increase success rates and payouts in an age of decreasing ransom payments. Identity compromise increasingly precedes encryption and extortion, positioning identity as the pivot in these attacks. Attackers are also increasingly demanding ransoms in return for a promise to delete the stolen data from their systems, rather than a key that can decrypt data encrypted by ransomware. This makes paying the ransom even riskier than before, as there is no way to verify that they have followed through.
The reframing of these attacks requires a reevaluation of budgets and KPIs in order to effectively protect against ransomware threats. Traditional advice regarding ransomware is no longer as successful as it once was. It is essential to shift focus from solely relying on endpoint detection and response to leveraging identity-first telemetry. “Organizations need to take an identity-first approach to security because at the heart of every breach, an attacker was able to compromise the right identity with the right level of privilege to achieve their objective,” says James Maude, Field CTO at BeyondTrust.
What to Watch Next (Q3–Q4 2025)
To keep up with evolving threat trends as they happen, experts should look to current and future threat intelligence. The second half of 2025 is likely to see a growth of adversary-in-the-middle kits targeting tokens, more sophisticated Azure automation abuse, and SEG-evasion via rich media. With the improvement of defenses, metrics like mean time to revoke tokens, reduction in service-principal sprawl, and drop in non-Office malicious attachments should be moving.
Recommendations
In order to protect against current and evolving risks, organizations should take steps such as:
- Enforcing phishing-resistant MFA and continuous token protection, including revoking tokens and using token-binding where supported.
- Monitor and limit service principals and automation jobs, and set security tools to alert on the detection of unusual role assignments and diagnostic suppression.
- Tune email defenses for analysis of file types like SVG and IMG, and update user training examples to include these formats.
- Implement controlled removable-media workflows and block by default on corporate endpoints.
- Treat vendor access as production code by utilizing the principle of least privilege, rotation, continuous review, and kill switches.
