Ontinue, a leading provider of AI-powered managed extended detection and response (MXDR) services and winner of the 2023 Microsoft Security Services Innovator of the Year award, has officially published the results from of its 1H 2025 Threat Intelligence Report, which is structured to offer an in-depth look at the most significant cybersecurity developments materializing during the first half of 2025.
Going by the available details, this particular report gives readers an insight into how MFA-bypassing identity attacks and exploitation of security blindspots witnessed a staggering rise during the given timeframe. More on the same would reveal that ransomware activity, phishing-as-a-service (PhaaS) operations, infostealer malware, advanced persistent threats (APTs), and the growing role of third-party compromise were deemed to be among the biggest catalysts for the stated rise.
“The attackers we track are blending technical skill with human-focused tactics, leveraging trusted vendors, manipulating identities, and exploiting small configuration gaps that snowball into major incidents,” said Balazs Greksza, Director of Threat Response at Ontinue. “The organizations that fare best are those that build resilience into every layer of their environment, from identity controls to incident response.”
Talk about the given report on a slightly deeper level, we begin from a surge in cloud persistence tactics. This translates to how an estimated 40% of Azure intrusions, investigated by Ontinue, involved layering of multiple persistence methods (application + automation job + role escalation). Median dwell time would also go onto exceed by 21 days when attackers suppressed telemetry.
Next up, the report reveals that around 20% of live incidents had adversaries reusing stolen refresh tokens to bypass MFA, even after password resets.
Another detail worth a mention is rooted in the growing prevalence of non-traditional phishing payloads. You see, over 70% of attachments bypassing secure email gateways were found to include formats like SVG or IMG.
Beyond that, the survey in question also discovered a 27% increase in USB-borne malware, as compared to late 2024, reinforcing the ongoing risk of removable media. The stated piece of discovery delivers a rather interesting follow-up to one 2024 Honeywell study, where it was revealed that 51% of USB-based threats could cause major disruption in enterprise and industrial environments.
Hold on, we still have a couple of bits left to unpack, considering we haven’t yet touched upon a 2X uptick in third-party risks from an YOY standpoint.
Rounding up highlights would be the fact that, even with a 35% YoY drop in reported ransom payments, there were more than 4,000 claimed ransomware breaches globally during H1 2025, led by CL0P, AKIRA, and QILIN.
Among other things, it ought to be acknowledged how Ontinue 1H 2025 Threat Intelligence Report outlines practical defensive measures, including phishing-resistant MFA, hardened endpoint configurations, and robust vendor risk management. In case that wasn’t enough, the given lowdown also preaches the importance of integrating real-world threat intelligence into security testing for helping defenses keep up with current adversary techniques.
“Cybercriminals are operating with the speed and adaptability of modern businesses. They pivot, rebrand, and retool in weeks, not months,” said Craig Jones, Chief Security Officer at Ontinue. “In the first half of 2025, we’ve seen ransomware operators overcome takedowns, PhaaS services scale globally, and state-aligned actors target the private sector with increasing precision. Organizations can’t afford to approach security as a static project, it’s a continuous, intelligence-led process.”
