Attackers Abuse Virtual Private Servers to Compromise SaaS Accounts
Summary:
Darktrace uncovered a sophisticated phishing campaign that relied heavily on the abuse of Virtual Private Servers to compromise SaaS accounts across multiple customer environments. Threat actors leveraged infrastructure from providers such as Hyonix, Host Universal, and others to stage suspicious logins that closely mimicked legitimate user behavior. These logins were often timed to coincide with real user activity, creating the appearance of plausible travel and making them more difficult to detect with traditional, rule-based security tools. Once inside, the attackers established persistence by creating obfuscated inbox rules, deleting phishing-related emails from sent folders, and attempting to modify account recovery settings. These tactics allowed them not only to conceal their presence but also to maintain long-term access while preparing for further exploitation such as spam campaigns or data exfiltration.
Darktrace’s investigation revealed consistent, mirrored behaviors across customer networks, including coordinated logins from rare IP addresses, inbox manipulation, and outbound phishing activity featuring fake invoices and finance-themed lures. In one instance, attackers even deployed a remote access tool on a domain controller, potentially enabling persistent footholds and lateral movement. These activities underscore how VPS abuse offers attackers scalability, anonymity, and low costs, while bypassing geolocation controls and evading IP reputation checks through the use of newly provisioned, clean infrastructure.
Security Officer Comments:
While Darktrace’s Autonomous Response capability was not enabled in the affected environments, the platform’s AI models still flagged key anomalies such as improbable travel, simultaneous logins from common and rare endpoints, inbox rule manipulation, and unusual domain queries.
Suggested Corrections:
As attackers increasingly exploit these services to blend into legitimate traffic, organizations must adopt proactive strategies such as continuous monitoring for anomalous logins, mailbox rule changes, and suspicious account activity. Pairing these capabilities with autonomous containment can provide the speed and precision needed to halt compromises in their early stages before attackers escalate their activities. This investigation not only reveals the tactics behind the campaign but also serves as a warning of how affordable and anonymous infrastructure continues to reshape the threat landscape for SaaS security.
Link(s):
https://www.infosecurity-magazine.com/news/attackers-virtual-servers/
Darktrace uncovered a sophisticated phishing campaign that relied heavily on the abuse of Virtual Private Servers to compromise SaaS accounts across multiple customer environments. Threat actors leveraged infrastructure from providers such as Hyonix, Host Universal, and others to stage suspicious logins that closely mimicked legitimate user behavior. These logins were often timed to coincide with real user activity, creating the appearance of plausible travel and making them more difficult to detect with traditional, rule-based security tools. Once inside, the attackers established persistence by creating obfuscated inbox rules, deleting phishing-related emails from sent folders, and attempting to modify account recovery settings. These tactics allowed them not only to conceal their presence but also to maintain long-term access while preparing for further exploitation such as spam campaigns or data exfiltration.
Darktrace’s investigation revealed consistent, mirrored behaviors across customer networks, including coordinated logins from rare IP addresses, inbox manipulation, and outbound phishing activity featuring fake invoices and finance-themed lures. In one instance, attackers even deployed a remote access tool on a domain controller, potentially enabling persistent footholds and lateral movement. These activities underscore how VPS abuse offers attackers scalability, anonymity, and low costs, while bypassing geolocation controls and evading IP reputation checks through the use of newly provisioned, clean infrastructure.
Security Officer Comments:
While Darktrace’s Autonomous Response capability was not enabled in the affected environments, the platform’s AI models still flagged key anomalies such as improbable travel, simultaneous logins from common and rare endpoints, inbox rule manipulation, and unusual domain queries.
Suggested Corrections:
As attackers increasingly exploit these services to blend into legitimate traffic, organizations must adopt proactive strategies such as continuous monitoring for anomalous logins, mailbox rule changes, and suspicious account activity. Pairing these capabilities with autonomous containment can provide the speed and precision needed to halt compromises in their early stages before attackers escalate their activities. This investigation not only reveals the tactics behind the campaign but also serves as a warning of how affordable and anonymous infrastructure continues to reshape the threat landscape for SaaS security.
Link(s):
https://www.infosecurity-magazine.com/news/attackers-virtual-servers/