Cybersecurity firm Darktrace has reported a rising trend where attackers leverage virtual private servers (VPS) to compromise software-as-a-service (SaaS) accounts. By using VPS infrastructure, threat actors can bypass geolocation-based defenses, evade IP reputation checks, and mimic legitimate user behavior, making detection more difficult.

The investigation revealed coordinated attacks affecting multiple customer environments, all involving logins from IP addresses tied to VPS providers like Hyonix and Host Universal. These compromised accounts were subsequently used to launch follow-up phishing campaigns and maintain persistent access without alerting security systems.

VPS platforms, while legitimate tools offering dedicated resources on shared hardware, have become attractive to cybercriminals because they allow anonymous, low-cost, and scalable operations. Darktrace highlighted that attackers exploit these services to blend in with normal activity, timing logins and actions to coincide with legitimate user behavior.

How SaaS Accounts Are Compromised

In several incidents observed in May 2025, compromised SaaS accounts displayed suspicious activity, including:

• Brute-force login attempts from unusual external IP addresses linked to VPS providers.
• Session hijacking, where attackers logged in immediately after legitimate users from distant geolocations.
• Mailbox manipulation, such as deleting emails and creating vague or generic inbox rules to redirect or remove incoming messages.
• Attempts to modify account recovery settings, reset passwords, or update security information from rare IP addresses.

These techniques suggest attackers aim to remain undetected while positioning themselves for potential data theft, spam distribution, or further exploitation. Multiple user devices mirrored these activities, indicating a coordinated campaign targeting the organization’s SaaS infrastructure.

Key Takeaways for Organizations

• Monitor unusual logins, particularly from VPS or cloud provider IP ranges.
• Implement multi-factor authentication (MFA) to limit account takeover risk.
• Audit email rules and security settings regularly to detect suspicious changes.
• Use behavioral analytics to identify anomalies in SaaS activity patterns.

Darktrace warns that VPS-facilitated attacks are persistent and highly targeted, often evading traditional security measures. Organizations should consider continuous monitoring and proactive threat hunting to reduce exposure to these evolving threats.

Source: https://www.infosecurity-magazine.com/news/attackers-virtual-servers