Ontinue Report Reveals Critical Shift in Cyber Threats with Surge in Identity Attacks and Cloud Exploitation

The cybersecurity landscape has undergone a significant transformation in the first half of 2025, with threat actors increasingly focusing on identity-based attacks and sophisticated cloud persistence techniques according to the latest threat intelligence report from Ontinue. The findings reveal that adversaries are moving beyond traditional ransomware attacks to exploit security blindspots and bypass multi-factor authentication (MFA) protections with alarming success rates.

One of the most concerning trends identified in the report is the surge in cloud persistence tactics, with nearly 40% of Azure intrusions involving adversaries layering multiple persistence methods including application manipulation, automation job interference, and role escalation. When attackers successfully suppressed telemetry, the median dwell time exceeded 21 days, providing ample opportunity for data exfiltration and system compromise. The report also highlights the continued abuse of token replay, with approximately 20% of live incidents involving adversaries reusing stolen refresh tokens to bypass MFA even after password resets were implemented.

Phishing attacks have evolved significantly, with over 70% of attachments bypassing secure email gateways being non-traditional formats like SVG or IMG files rather than conventional Office documents. This shift demonstrates attackers' adaptability in circumventing established security controls. Simultaneously, there has been a surprising resurgence of USB-borne malware, with Ontinue observing a 27% increase compared to late 2024. A 2024 Honeywell study referenced in the report indicated that 51% of USB-based threats could cause major disruption in enterprise and industrial environments.

Third-party risk has emerged as a critical vulnerability, with nearly 30% of incidents linked to vendor compromise, including supply chain attacks targeting retailers and manufacturers. This represents a doubling year-over-year, highlighting the expanding attack surface through business partnerships and supply chain dependencies. While ransomware activity showed a 35% year-over-year drop in reported ransom payments, there were still more than 4,000 claimed ransomware breaches globally in H1 2025, led by prominent groups including CL0P, AKIRA, and QILIN.

Craig Jones, Chief Security Officer at Ontinue, emphasized the evolving nature of cyber threats, stating that cybercriminals are operating with the speed and adaptability of modern businesses, pivoting, rebranding, and retooling in weeks rather than months. The report outlines practical defensive measures including phishing-resistant MFA, hardened endpoint configurations, and robust vendor risk management. It emphasizes integrating real-world threat intelligence into security testing to ensure defenses match current adversary techniques, particularly in cloud environments where persistence and evasion tactics are rapidly evolving. The full analysis is available in the Ontinue 1H 2025 Threat Intelligence Report.

Balazs Greksza, Director of Threat Response at Ontinue, noted that attackers are blending technical skill with human-focused tactics, leveraging trusted vendors, manipulating identities, and exploiting small configuration gaps that escalate into major incidents. The report stresses that organizations cannot rely solely on simulated testing or isolated defenses, and must close the gap between red team exercises and real-world adversary behavior. Security fundamentals like restricting USB usage, hardening configurations, and reinforcing user training remain critical components of a comprehensive defense strategy. Additional insights into these evolving threats can be found on the Ontinue blog, which provides deeper analysis of ransomware, identity-based attacks, and USB malware trends.