Experts have warned that hackers are increasingly using virtual private servers (VPS) to break into software-as-a-service (SaaS) accounts. A new investigation by Darktrace revealed multiple coordinated incidents where attackers leveraged VPS infrastructure to carry out stealthy and persistent attacks.
A Virtual Private Server (VPS) is a legitimate technology that allows businesses to run applications on a dedicated virtual machine with more control and flexibility. Companies often use VPS to host websites, manage cloud workloads, or support business tools.
However, attackers are now misusing VPS in clever ways:
Bypassing geolocation filters: VPS servers can be spun up in any location, allowing hackers to mimic local traffic.
Evading IP reputation checks: Since many VPS instances are newly created, they often carry a “clean” reputation, making them harder to block.
Blending into real traffic: VPS traffic looks similar to legitimate business activity, making it difficult for traditional security tools to flag.
Darktrace researchers noted that providers such as Hyonix and Host Universal are particularly attractive to hackers. These services offer quick setup, low costs, and minimal digital footprint, giving cybercriminals a way to launch large-scale anonymous campaigns with little effort.
“Such attacks tend to be highly targeted and persistent, often timed to coincide with real user activity,” the researchers explained. “This makes them difficult for security teams to detect with conventional tools.”
In May 2025, Darktrace detected several incidents where SaaS accounts belonging to their customers were compromised. The alerts pointed back to IP addresses from VPS providers such as Hyonix.
The attackers used multiple methods, including:
Brute-force login attempts to guess user passwords.
Suspicious logins from unusual or rare locations.
Phishing campaigns launched through compromised accounts.
In one case, attackers logged in from VPS-linked IP addresses within minutes of legitimate activity from the same user in a distant location. This indicated session hijacking, where hackers piggybacked on an active session to gain access.
Signs of Phishing and Persistence
Once inside the SaaS accounts, attackers quickly moved to cover their tracks. Darktrace observed that emails referencing invoices were deleted from Sent folders, likely to hide phishing messages sent from the compromised accounts.
The hackers also created new inbox rules with vague names. These rules quietly redirected or deleted emails, allowing attackers to intercept communication and stay hidden. In some cases, they attempted to reset passwords or change recovery information, strengthening their grip on the account.
Interestingly, three different users had nearly identical inbox rules set up, suggesting a coordinated campaign using shared tools and techniques. Another user had rules tied to fake invoices, pointing to a phishing scheme aimed at financial fraud.
Although Darktrace did not detect lateral movement within customer environments (such as spreading to other internal systems), the repeated behavior across multiple accounts showed clear signs of an organized attack.
SaaS platforms—such as email, collaboration tools, and cloud storage—are central to modern businesses. Compromising these accounts gives attackers several advantages:
-
Direct access to sensitive data like invoices, contracts, or employee information.
-
A trusted channel for phishing, since emails from a legitimate account are less likely to raise suspicion.
-
Persistence, as mailbox rules and account recovery changes make it harder for security teams to regain control.
-
Scalability, since VPS abuse allows attackers to launch campaigns across multiple organizations at once.
Organizations can take several steps to defend against these evolving threats:
-
Enable Multi-Factor Authentication (MFA): Even if attackers guess or steal a password, MFA makes it harder to gain access.
-
Monitor unusual login patterns: Logins from rare IPs, VPS providers, or impossible travel scenarios should be flagged.
-
Use advanced email security tools: AI-driven solutions can help detect suspicious inbox rules, phishing attempts, or abnormal activity.
-
Limit account recovery changes: Alerts should be set up for password resets, recovery email updates, or security setting modifications.
-
Educate users: Employees should be aware of phishing risks and trained to report suspicious activity quickly.
The abuse of VPS infrastructure to compromise SaaS accounts shows how attackers continue to adapt and exploit legitimate technologies for malicious purposes. With low-cost VPS providers making anonymous infrastructure easily available, businesses must stay vigilant.
As Darktrace researchers warned, these attacks are not only stealthy but also persistent, often overlapping with normal user behavior. This makes them especially challenging to detect with traditional defenses.
For businesses, the takeaway is clear: relying on passwords alone is no longer enough. Continuous monitoring, layered security, and user awareness are essential to protect SaaS environments from this growing threat.
Interesting Article : CVE-2025-43300, Apple Patches Zero-Day Exploited in Targeted iPhone and Mac Attacks