Threat actors are abusing virtual private servers (VPS) to compromise software-as-a-service (SaaS) accounts, according to an investigation by Darktrace.
The cybersecurity vendor identified coordinated SaaS account compromises across multiple customer environments, all of which involved logins from IP addresses linked to various VPS providers.
The compromised accounts were used to conduct follow-on phishing attacks, with threat actors taking steps to avoid detection and enable persistent access.
A VPS is a legitimate virtualized server widely used by businesses to provide dedicated resources and control on a shared physical device.
However, they can be abused by attackers to bypass geolocation-based defenses by mimicking local traffic, evading IP reputation checks with clean, newly provisioned infrastructure and blending into legitimate behavior.
“VPS providers like Hyonix and Host Universal offer rapid setup and minimal open-source intelligence (OSINT) footprint, making detection difficult. These services are not only fast to deploy but also affordable, making them attractive to attackers seeking anonymous, low-cost infrastructure for scalable campaigns,” the Darktrace researchers warned in a blog published on August 21.
“Such attacks tend to be targeted and persistent, often timed to coincide with legitimate user activity, a tactic that renders traditional security tools largely ineffective,” they continued.
How Attackers Compromise SaaS Via VPS Infrastructure
A number of incidents impacting Darktrace customer SaaS accounts were observed in May 2025. Many alerts linked back to VPS provider Hyonix and included brute-force attempts, anomalous logins and phishing campaign-related inbox rule creation.
In one case two internal devices on a customer environment-initiated logins from rare external IPs associated with the VPS providers Hyonix and Host Universal.
These logins occurred within minutes of legitimate user activity from distant geolocations, indicating session hijacking had occurred.
Shortly after the logins, the threat actor deleted emails referring to invoice documents from the user’s ‘Sent Items’ folder, suggesting an attempt to hide phishing emails that had been sent from the compromised account.
The researchers also observed a series of suspicious SaaS activities had taken place, including the creation of new email rules. These rules were given vague or generic names, likely to reduce the likelihood of detection while quietly redirecting or deleting incoming emails to maintain access and conceal malicious mailbox activity from legitimate users.
Although no lateral movement was detected from the compromised SaaS accounts, multiple user devices mirrored this activity, suggesting a coordinated campaign.
“Notably, three users had near identical similar inbox rules created, while another user had a different rule related to fake invoices, reinforcing the likelihood of a shared infrastructure and technique set,” the researchers noted.
On one account, attempts to modify account recovery settings were observed, while on another, the attacker reset passwords or updated security information from rare external IPs.
These actions suggested an intent to remain undetected while potentially setting the stage for data exfiltration or spam distribution.