Threat actors turning to MFA bypass, USB malware and supply chain attacks

Threat actors are increasingly leveraging layered persistence mechanisms, MFA-breaking token replay abuse and malware-laced USB devices for cyber intrusions, Ontinue revealed in its 1H 2025 Threat Intelligence Report published Tuesday.

The report highlights potential blind spots as attackers combine both new and old tactics and target privileged identities. Third-party risk is also highlighted in the report, which revealed that supply chain attacks doubled year-over-year, now making up about 30% of cyber incidents.

Ontinue’s investigation into Microsoft Azure cloud intrusions found that attackers layered multiple persistence methods in 40% of attacks, including by leveraging application registrations, automation jobs and role escalation, resulting in a median dwell time of 21 days when telemetry was successfully suppressed.

Additionally, refresh token replay was used in 20% of incidents, which not only enabled attackers to bypass multi-factor authentication (MFA) but also allowed their access to persist after password resets.

“Given that nearly 40% of Azure intrusions involve layered persistence methods, with adversaries employing techniques that can bypass even sophisticated security controls, the importance of internal network segmentation cannot be overstated,” ColorTokens Chief Evangelist Agnidipta Sarkar told SC Media in an email. “This strategy serves to minimize the potential blast radius when existing controls falter.”

When it came to phishing attempts targeting such cloud environments, emails with SVG or IMG attachments made up 70% of successful attempts to bypass secure email gateways, demonstrating how non-traditional phishing formats pose an overlooked risk to email and cloud security. SVG attacks in particular rose by 40% in H1 2025, according to Ontinue.

Commercialized phishing kits play a key role in enabling MFA-breaking credential phishing attacks, with the Tycoon 2FA phishing-as-a-service (PhaaS) kit being the most prevalent in H1 2025. Ontinue’s Cyber Defense Center (CDC) found that Tycoon 2FA made up 65% of PhaaS-driven credential attacks during this time period.

Beyond credential phishing, USB device-based attacks saw a resurgence in H1 2025, with incident volume increasing by 27%. An older technique that may be overlooked in today’s threat landscape, USB malware delivery has the potential to cause major disruption, including to industrial operations, according to a 2024 Honeywell report.  

Ransomware remained a significant threat in the first half of 2025, with more than 4,000 claimed ransomware attacks reported, although ransom payments declined by 35% in 2024.

“Organizations need to take an identity first approach to security because at the heart of every breach an attacker was able to compromise the right identity with the right level of privilege to achieve their objective,” noted BeyondTrust Field CTO James Maude in an email to SC Media. “No matter if an identity is compromised by bypassing MFA or loading a file from a USB drive the degree of risk is entirely dependent on the standing privileges that identity has.”

Ontinue’s threat report makes several recommendations to tackle blind spots and close the gap between red team insights and the behavior of real-world threat actors, including recommendations to perform regular Azure Active Director audits, be on the alert for non-traditional email attachment file types, monitor for signs of refresh token reuse such as abnormally long sessions and restrict and monitor USB device use.

“The attackers we track are blending technical skill with human-focused tactics, leveraging trusted vendors, manipulating identities, and exploiting small configuration gaps that snowball into major incidents,” Ontinue Director of Threat Response Balazs Greksza said in a statement. “The organizations that fare the best are those that build resilience into every layer of their environment, from identity controls to incident response.”