By rssfeeds-admin 
The investigation, conducted in May 2025, revealed coordinated attacks utilizing VPS providers, including Hyonix and Host Universal, to bypass traditional security controls and maintain persistent access to compromised email accounts.
VPS Infrastructure Enables Stealthy Attack Operations
Virtual Private Servers have become increasingly attractive to cybercriminals due to their ability to provide clean, newly provisioned infrastructure that evades IP reputation checks while mimicking legitimate local traffic.
The attackers specifically targeted VPS providers offering rapid deployment and minimal open-source intelligence (OSINT) footprint, making detection significantly more challenging for traditional security systems.
The campaign demonstrated sophisticated techniques, including session hijacking, where attackers gained access to accounts while legitimate users remained active from distant geographical locations.
This created “improbable travel” scenarios that triggered Darktrace’s behavioral detection models, particularly the “Login From Rare Endpoint While User Is Active” alert system.
Coordinated Campaign Across Multiple Environments
Darktrace’s Threat Research team identified two primary attack scenarios during their investigation.
In the first case, attackers accessed two internal devices through VPS-linked IP addresses, subsequently deleting emails from “Sent Items” folders that referenced invoice documents, likely concealing phishing emails sent from the compromised accounts.
The second case involved multiple users experiencing coordinated logins from rare endpoints associated with various VPS providers, including Mevspace and Hivelocity.
Following initial access, attackers created inbox rules with obfuscated names designed to automatically delete incoming emails, particularly those referencing documents shared by VIP personnel within the targeted organization.
The investigation revealed mirrored activity patterns across different user devices, suggesting a coordinated campaign utilizing shared infrastructure and standardized attack methodologies.
Attackers also attempted to modify account recovery settings and maintain persistence through various techniques.
Security Implications and Detection Challenges
The campaign highlights critical vulnerabilities in traditional security approaches that rely heavily on IP reputation and geolocation-based controls. VPS abuse enables attackers to blend into legitimate traffic patterns while maintaining anonymity and scalability in their operations.
Notably, Darktrace’s Autonomous Response capability was not enabled in the affected customer environments, preventing automated containment actions that could have halted the compromise during its initial stages.
The attacks coincided with legitimate user activity, rendering conventional security tools largely ineffective against these sophisticated techniques.
This investigation underscores the necessity for behavior-based detection systems capable of identifying subtle anomalies such as concurrent session activity, unusual login sources, and suspicious mailbox rule modifications that traditional rule-based security systems typically miss.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post VPS Servers Targeted by Hackers to Breach SaaS Accounts appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.