Cyber Threats in 2025: Why Identity, Cloud Persistence, and Old-School Malware Still Matter

The first half of 2025 has confirmed what many cybersecurity leaders already know: attackers are adapting faster than ever, combining cutting-edge cloud persistence with surprisingly simple techniques that have been around for decades. Ontinue’s 1H 2025 Threat Intelligence Report shows that while ransomware continues to dominate headlines, the more urgent story for defenders is the rise of MFA-bypassing identity attacks, token replay abuse, and the re-emergence of USB-delivered malware.

These trends highlight a clear message. The threat landscape is not defined solely by novel exploits or sophisticated campaigns. It is shaped by the way adversaries blend new tactics with old weaknesses, always looking for the easiest path to compromise. For CISOs and security leaders, this means focusing not just on the latest technology but also on closing the fundamental gaps that adversaries never stop testing.

Identity as the New Battleground

The report shows that attackers are increasingly targeting identity systems. Nearly 40 percent of Azure intrusions investigated by Ontinue involved layered persistence methods, such as combining application registrations with automation jobs and role escalations. About one in five incidents leveraged refresh token replay, a technique that allows adversaries to bypass MFA even after a password reset.

These tactics exploit the reality that many organizations still struggle to detect and revoke compromised tokens or to continuously monitor for unusual persistence in cloud environments. Red team exercises often stop short of demonstrating the long-term impact of such techniques due to scope or safety constraints. Real-world attackers face no such limitations. They replay tokens indefinitely, suppress diagnostic settings, and tamper with conditional access policies to extend dwell times that now average more than three weeks in cloud intrusions.

This underscores the importance of treating identity as the true perimeter. The security of Azure AD, privileged roles, and application registrations must be tested and monitored with the same rigor as traditional network and endpoint defenses.

Phishing: Old Technique, New Formats

Phishing continues to evolve as well. More than 70 percent of attachments that bypassed secure email gateways in the first half of 2025 were non-traditional formats such as SVG or IMG files, not the Office macros or executable payloads defenders may expect. Attackers are using these formats to embed scripts or redirects that lead victims directly into adversary-in-the-middle sites, harvesting both credentials and tokens in a single step.

This matters because it shows that security leaders cannot rely on past assumptions about phishing detection. Email defenses must be tuned to inspect emerging file types, and user education must reflect the reality that attackers will continue to innovate in how they package lures.

The Return of USB Malware

Perhaps the most surprising trend is the resurgence of USB-borne malware. Ontinue observed a 27 percent increase in USB-delivered malware compared to the second half of 2024. According to research, more than half of USB-based threats have the potential to cause significant disruption to enterprise and industrial environments.

Despite years of progress in endpoint protection, many organizations still allow removable media without strong controls. This is an area where human behavior and organizational policy matter as much as technology. One unmonitored USB drive can bypass network-based defenses entirely, delivering malware directly onto a corporate workstation.

For security leaders, the implication is clear. Basic controls like restricting USB usage, removing unnecessary administrative privileges, and monitoring for unusual device connections remain critical. Advanced defenses cannot compensate for neglecting fundamentals.

Third-Party Risk and the Expanding Attack Surface

The report also shows that third-party breaches doubled year over year, now implicated in nearly 30 percent of incidents. As organizations continue to depend on external providers for IT, cloud, and operational services, these relationships create new opportunities for adversaries.

Vendor risk management can no longer be a compliance checkbox. It must be an operational reality, with continuous oversight, access restrictions, and joint incident response planning.

Why These Findings Matter

The significance of these findings lies in what they say about adversary behavior. Attackers are pragmatic. They do not limit themselves to sophisticated exploits when simple gaps are available. They combine token replay with cloud persistence, phishing with overlooked file types, and ransomware with weak vendor controls. They use whatever mix of old and new techniques will maximize their chances of monetization.

This means that defending against today’s adversaries requires a dual focus. Organizations must invest in advanced detection and response capabilities for cloud identity, persistence, and token abuse. At the same time, they must not neglect foundational practices like USB restrictions, endpoint hygiene, and user awareness.

Looking Ahead

Ontinue’s 1H 2025 Threat Intelligence Report is not only a reflection of where attackers have been successful but also a roadmap for where defenders must adapt. Closing the gap between red team exercises and real adversary behavior is a priority. So is reinforcing the basics that remain surprisingly effective for attackers.

In the weeks ahead, we will publish a series of blogs diving deeper into each of these trends, including ransomware operations, phishing-as-a-service platforms, and APTs.

For CISOs, the key takeaway is this: cyber resilience is built not just on advanced tools but on disciplined execution across every layer of the environment. From identity to endpoints to vendors, the fundamentals matter as much as the innovations.

Read the full report.