Cybercriminals are increasingly leveraging Virtual Private Server (VPS) infrastructure to orchestrate sophisticated attacks against Software-as-a-Service (SaaS) platforms, exploiting the anonymity and clean reputation of these hosting services to bypass traditional security controls.<\/p>\n
A coordinated campaign identified in early 2025 demonstrated how threat actors systematically abuse VPS providers like Hyonix, Host Universal, Mevspace, and Hivelocity to compromise enterprise email accounts and establish persistent access to organizational systems.<\/p>\n
The attack methodology centers on session hijacking techniques, where attackers utilize compromised credentials to log into SaaS accounts from VPS-hosted infrastructure.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjpOevDehNE3ZwWdzJ7Vnch_4tZpjwqFHihZEzjyckNTeoX7Y6n0VQMDFnLSYdidauiJZ2WsBhn7H-rRBY7c1qlUX1RSPO3z-tgHP7Rogua4y7HxrBO4sKe_hr5ngjZxoc4qNRW1EVODByMw9s9U3Bg7afMbPZ5RBkglabW6vPTlpSfS_FY70la9YVBuYo\/s16000\/Timeline%2520of%2520activity%2520for%2520Case%25201%2520-%2520Unusual%2520VPS%2520logins%2520and%2520deletion%2520of%2520phishing%2520emails%2520%28Source%2520-%2520Darktrace%29.webp?ssl=1\")
This approach allows malicious actors to circumvent geolocation-based security measures<\/a> by appearing as legitimate traffic from trusted hosting providers.<\/p>\n The clean IP reputation associated with newly provisioned VPS instances enables attackers to evade conventional blacklist-based detection systems, making their activities blend seamlessly with normal business operations.<\/p>\n Recent investigations spanning March through May 2025 revealed a surge in anomalous login activities originating from Hyonix\u2019s Autonomous System Number (ASN AS931), with threat actors demonstrating remarkable consistency in their attack patterns across multiple victim environments.<\/p>\n Darktrace analysts identified<\/a> suspicious activities including improbable travel scenarios where users appeared to access accounts simultaneously from distant geographical locations, indicating clear signs of credential compromise and session hijacking.<\/p>\n The campaign\u2019s sophistication extends beyond initial access, incorporating Multi-Factor Authentication<\/a> (MFA) bypass techniques through token manipulation and the systematic creation of obfuscated email rules designed to maintain stealth.<\/p>\n Attackers established persistence by creating inbox rules with minimal or generic names to avoid detection during routine security audits<\/a>, automatically redirecting or deleting incoming emails to conceal their malicious activities.<\/p>\n The threat actors demonstrated advanced understanding of email security systems by implementing targeted inbox rule manipulation techniques that operate below the threshold of typical security monitoring.<\/p>\n The malicious rules specifically targeted emails containing sensitive organizational information, including communications from VIP personnel and financial documents.<\/p>\n Technical analysis revealed the use of MITRE ATT&CK technique T1098.002 (Exchange Email Rules) combined with T1071.001 (Web Protocols) for command and control operations.<\/p>\n Key indicators of compromise include IP addresses 38.240.42[.]160 and 194.49.68[.]244 associated with Hyonix infrastructure, alongside 91.223.3[.]147 from Mevspace Poland.<\/p>\n The attackers employed domain fluxing techniques for infrastructure resilience while maintaining operational security through carefully timed activities that coincided with legitimate user sessions, effectively masking their presence within normal business communications.<\/p>\n The post Hackers Abuse VPS Servers To Compromise Software-as-a-service (SaaS) Accounts<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg6rDL7uIR0rQWXtXq1eZnabICejaRTkBLnbmzzLnFyeJ_5TeeH0EfWCWa0SDYezs8BRsc6kxpJKug8GsfjFQExLrsBZafbtpygT5BQuKuStiKfgk-wkvMWxoMSqUoyDFRGtTzNq4y815NmsO-v3FVjuS4I2KbPELzkOXRpaz9c2-QXAXIfaZ7CMHGKQN0\/s16000\/Timeline%2520of%2520activity%2520for%2520Case%25202%2520%25E2%2580%2593%2520Coordinated%2520inbox%2520rule%2520creation%2520and%2520outbound%2520phishing%2520campaign%2520%28Source%2520-%2520Darktrace%29.webp?ssl=1\")
Advanced Persistence and Evasion Mechanisms<\/strong><\/h2>\n
Boost\u00a0your\u00a0SOC and help your team protect your business with free top-notch threat intelligence:\u00a0Request TI Lookup Premium Trial<\/a>.<\/code><\/strong><\/p>\n