New attack tactics look to bypass MFA and target security blindspots

A new report from AI-powered managed extended detection and response company Ontinue shows a sharp rise in MFA-bypassing identity attacks in the first half of the year.

These attacks are using token replay abuse with roughly 20 percent of live incidents involving adversaries reusing stolen refresh tokens to bypass MFA, even after password resets.

The findings also reveal that while ransomware remains one of the most disruptive threats, adversaries are increasingly focused on identity-based attacks in the cloud, persistence in Azure environments, and even ‘back to basics. tactics like USB-delivered malware.

Over 70 percent of attachments found bypassing secure email gateways were formats like SVG or IMG, not traditional Office documents. Ontinue has also observed a 27 percent increase in USB-borne malware compared to late 2024, reinforcing the ongoing risk of removable media. A 2024 Honeywell study showed 51 percent of USB-based threats could cause major disruption in enterprise and industrial environments.

Third-party risk remains a major issue too, nearly 30 percent of incidents were linked to vendor compromise, including supply chain attacks targeting retailers and manufacturers.

“Cybercriminals are operating with the speed and adaptability of modern businesses. They pivot, rebrand, and retool in weeks, not months,” says Craig Jones, chief security officer at Ontinue. “In the first half of 2025, we’ve seen ransomware operators overcome takedowns, PhaaS services scale globally, and state-aligned actors target the private sector with increasing precision. Organizations can’t afford to approach security as a static project, it’s a continuous, intelligence-led process.”

You can get the full report, which also outlines practical defensive measures, including phishing-resistant MFA, hardened endpoint configurations, and robust vendor risk management, from the Ontinue site.

Image credit: Jirsak/depositphotos