Attackers Abuse Virtual Private Servers to Compromise SaaS Accounts

Threat actors are abusing virtual private servers (VPS) to compromise software-as-a-service (SaaS) accounts, according to an investigation by Darktrace. The cybersecurity vendor identified coordinated SaaS account compromises across multiple customer environments, all of which involved logins from IP addresses linked to various VPS providers.

A number of incidents impacting Darktrace customer SaaS accounts were observed in May 2025. Many alerts linked back to VPS provider Hyonix and included brute-force attempts, anomalous logins, and phishing campaign-related inbox rule creation.

The researchers also observed a series of suspicious SaaS activities had taken place, including the creation of new email rules. These rules were given vague or generic names, likely to reduce the likelihood of detection while quietly redirecting or deleting incoming emails to maintain access and conceal malicious mailbox activity from legitimate users.

To read the complete article see: Read more