Darktrace has uncovered a coordinated campaign of SaaS account takeovers. Attackers hid behind Virtual Private Servers, slipping into accounts, moving unseen, and wiping away the traces of phishing.
The pattern was consistent: suspicious logins from VPS-linked infrastructure, swift creation of inbox rules, and deleted emails, particularly those tied to phishing. What researchers found was a portrait of a campaign built on stealth, persistence, and the calculated use of virtual infrastructure.
What is a VPS, and Why Does it Matter?
A VPS provides dedicated computing resources on a shared physical server. For businesses and developers, it is a useful, legitimate tool. For attackers, it offers something else: scale, speed, and cover.
VPS abuse is not new. But its rise in SaaS-targeted campaigns is notable. It allows attackers to sidestep geolocation controls by imitating local traffic. It lets them evade IP reputation checks with newly minted addresses. And it helps them blend into the daily rhythm of legitimate business activity.
Providers like Hyonix and Host Universal make this easier still. Their services can be deployed within minutes, at low cost, and with minimal digital trace. To a threat actor, that combination is irresistible.
Darktrace’s Investigation
In May this year, Darktrace’s Threat Research team looked into a surge of anomalous behavior tied to Hyonix infrastructure. The spike started in March, with alerts showing brute-force attempts, unusual logins, and inbox rule manipulation.
Two customer environments stood out. In one, mirrored compromises appeared across multiple devices. Logins came from unfamiliar endpoints. Emails were deleted to mask evidence of phishing attempts. Tracing the trail led back to Hyonix IPs.
In the second, attackers moved with more coordination. Multiple accounts logged in from rare VPS sources. Inbox rules were created with vague or obfuscated names. Recovery settings were modified, a signal of privilege escalation.
The pattern pointed to a campaign leveraging shared infrastructure across targets.
In both cases, Darktrace’s Autonomous Response was not active. That absence mattered. Without automated containment, the activity escalated. With it, connections from rare VPS endpoints would have been blocked early.
The Case Details
On 19 May, Darktrace saw two internal devices connect through Hyonix and Host Universal IPs. The logins occurred almost simultaneously with legitimate user sessions from distant geographies. That “impossible travel” was an early sign of hijacking. Shortly after, phishing-related emails were deleted from a compromised account’s “Sent Items” folder.
Elsewhere, in another customer network, attackers used VPS infrastructure from Hyonix, Mevspace, and Hivelocity. They satisfied MFA checks through stolen token claims. Once inside, they established persistence through inbox rules designed to pass unnoticed. One such rule automatically deleted messages from a senior executive, likely to suppress evidence of misuse.
Building Persistence
The threat actors’ behavior was deliberate. Rules were given minimal or generic names to avoid scrutiny. Multiple accounts showed almost identical mailbox manipulations. Others showed signs of account recovery tampering and password resets.
One network saw outbound spam with finance-themed subject lines, while another showed DNS queries to domains using fluxing, a popular evasion tactic.
In a further twist, a compromised device attempted to install Splashtop, a remote access tool normally used for IT support. In this context, it suggested the malefactor sought durable, hands-on control of the environment.
Weaponizing VPS Services
This campaign shows how bad actors are weaponizing VPS services to obfuscate their operations in SaaS environments. These services are cheap, disposable, and practically invisible against traditional security checks.
Darktrace’s AI picked up the anomalies early: unusual logins, inbox rule creation, suspicious deletions. Indicators that static, rule-based tools often miss. But early detection alone is insufficient. Containment (ideally automated) is vital when attackers move at machine speed.
Blending With Normal Traffic
J Stephen Kowski, Field CTO at SlashNext says the playbook isn’t new—it’s the same old tricks as you would see on a desktop: changing inbox rules, stealing tokens, resetting passwords, and cleaning up tracks
“The only twist is that it’s happening on a rented cloud desktop, which makes the activity blend in with normal traffic a slightly differently. The real issue is the first break-in—usually stolen logins, hijacked sessions, weak MFA, or a malicious app link. That’s where tools that watch sessions in real time, catch phishing across channels, block shady app approvals, and roll back mailbox tampering shut it down before that cloud desktop turns into a launchpad.”
Renting Trust
Attackers now rent trust, adds Jason Soroko, Senior Fellow at Sectigo. “Five dollar VPS nodes buy entry to your allow list and they accomplish this by getting a clean ASN and fresh IP making traffic feel like a trusted source, not a criminal. In this case, the adversary is riding live sessions and no longer just harvesting passwords. The mailbox becomes the control plane. Vague rules act like a kind of stealth policy.”
Concurrency, sequence, and locality must line up, Soroko adds. “If they do not, you must have a way to freeze the session, not the user. Make inbox rules visible, named, and attested. Alert on rule churn the way you alert on privilege churn. Score infrastructure by volatility and provenance, not brand. Expect remote tools to appear where they never should and block by context. Autonomous containment is a governance choice that decides outcomes. In this campaign, the absence of it gave the intruders time, which is the adversary’s most important currency.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.