The investigation, conducted in May 2025, revealed coordinated attacks utilizing VPS providers, including Hyonix and Host Universal, to bypass traditional security controls and maintain persistent access to compromised email accounts.
Virtual Private Servers have become increasingly attractive to cybercriminals due to their ability to provide clean, newly provisioned infrastructure that evades IP reputation checks while mimicking legitimate local traffic.
The attackers specifically targeted VPS providers offering rapid deployment and minimal open-source intelligence (OSINT) footprint, making detection significantly more challenging for traditional security systems.
The campaign demonstrated sophisticated techniques, including session hijacking, where attackers gained access to accounts while legitimate users remained active from distant geographical locations.
This created “improbable travel” scenarios that triggered Darktrace’s behavioral detection models, particularly the “Login From Rare Endpoint While User Is Active” alert system.
Darktrace’s Threat Research team identified two primary attack scenarios during their investigation.
In the first case, attackers accessed two internal devices through VPS-linked IP addresses, subsequently deleting emails from “Sent Items” folders that referenced invoice documents, likely concealing phishing emails sent from the compromised accounts.
The second case involved multiple users experiencing coordinated logins from rare endpoints associated with various VPS providers, including Mevspace and Hivelocity.
Following initial access, attackers created inbox rules with obfuscated names designed to automatically delete incoming emails, particularly those referencing documents shared by VIP personnel within the targeted organization.
The investigation revealed mirrored activity patterns across different user devices, suggesting a coordinated campaign utilizing shared infrastructure and standardized attack methodologies.
Attackers also attempted to modify account recovery settings and maintain persistence through various techniques.
The campaign highlights critical vulnerabilities in traditional security approaches that rely heavily on IP reputation and geolocation-based controls. VPS abuse enables attackers to blend into legitimate traffic patterns while maintaining anonymity and scalability in their operations.
Notably, Darktrace’s Autonomous Response capability was not enabled in the affected customer environments, preventing automated containment actions that could have halted the compromise during its initial stages.
The attacks coincided with legitimate user activity, rendering conventional security tools largely ineffective against these sophisticated techniques.
This investigation underscores the necessity for behavior-based detection systems capable of identifying subtle anomalies such as concurrent session activity, unusual login sources, and suspicious mailbox rule modifications that traditional rule-based security systems typically miss.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post VPS Servers Targeted by Hackers to Breach SaaS Accounts appeared first on Cyber Security News.
The deadline to file your taxes is less than one month away, on April 15th.…
The deadline to file your taxes is less than one month away, on April 15th.…
The debut game from developer Sunset Visitor, 1000xResist, took us by surprise in 2024 and…
Above, you can watch a primer on the Strait of Hormuz, the narrow passage between…
INDIANAPOLIS, Ind. (WOWO) — Police have arrested two teenagers after gunfire was aimed at the…
INDIANAPOLIS, Ind. (WOWO) — Police have arrested two teenagers after gunfire was aimed at the…
This website uses cookies.