Darktrace uncovered a coordinated phishing campaign exploiting Virtual Private Servers (VPS) to hijack SaaS accounts across multiple organizations. Attackers abused VPS infrastructure from providers such as Hyonix, Host Universal, Mevspace, and Hivelocity to bypass geolocation defenses, conceal malicious logins, and launch phishing and session hijacking attacks. These intrusions enabled attackers to manipulate inbox rules, delete evidence, and maintain persistence, highlighting the growing role of VPS abuse in cloud-targeted threats.
Severity Level: High
Initial Access & Intrusion
- Threat actors gained access to SaaS accounts via phishing and credential hijacking.
- Logins originated from VPS-linked IPs (Hyonix, Host Universal, Mevspace, Hivelocity), often within minutes of legitimate user logins, mimicking “improbable travel” activity.
- MFA tokens were successfully claimed, suggesting session hijacking rather than simple credential theft.
Persistence & Concealment
- Attackers created new inbox rules with vague or obfuscated names, redirecting or deleting emails to hide evidence of phishing.
- Emails referencing invoices or VIP communications were auto-deleted to conceal malicious mailbox activity.
- In one case, security recovery settings were modified to strengthen persistence.
Malicious Operations
- Phishing emails sent from compromised accounts, followed by deletion of “sent” evidence.
- Outbound spam campaigns with finance-related lures (e.g., subject lines like INV#. EMITTANCE-1).
- Deployment of SplashtopStreamer.exe, a remote access tool, potentially to maintain stealthy long-term access.
Infrastructure & Evasion
- Attackers relied on clean VPS IP ranges with low reputation history, helping evade IP-based detection.
- Domain fluxing detected on malicious infrastructure, providing resilience against static blocking.
- Activity mirrored across multiple customer environments, suggesting shared infrastructure and coordinated operations.
MITRE ATT&CK
| TACTIC | TECHNIQUE | ID |
| Initial Access | Phishing: Spearphishing Attachment | T1566.001 |
| Execution | Valid Accounts | T1078 |
| Persistence | Account Manipulation: Exchange Email Rules | T1098.002 |
| Command & Control | Application Layer Protocol: Web Protocols | T1071.001 |
| Defense Evasion | Masquerading | T1036 |
| Defense Evasion | Impair Defenses: Disable or Modify Tools | T1562.001 |
| Credential Access | Modify Authentication Process: MFA Bypass | T1556.004 |
| Discovery | Account Discovery | T1087 |
| Impact | Account Access Removal | T1531 |
Recommendations
- Enforce phishing-resistant MFA (e.g., FIDO2, hardware tokens) instead of SMS or push-based MFA, which can be bypassed by session hijacking.
- Apply conditional access policies to block or challenge logins from high-risk geolocations, VPS IP ranges, and anonymizing services (VPN, Tor, hosting providers).
- Continuously monitor for inbox rule creation, email auto-forwarding, or mass deletion events in SaaS platforms (e.g., Microsoft 365, Google Workspace). Alert on suspicious rule names (obfuscated, generic, or minimal) which attackers use to hide phishing traffic.
- Apply application allowlisting to restrict unauthorized software installations that attackers may use for persistence.
- Train employees to recognize phishing emails, especially those involving finance/invoice lures or spoofed VIP communications.
- Educate users on reporting anomalies, such as unexpected MFA prompts or login alerts.
- Reinforce security hygiene practices (avoid password reuse, use password managers, never approve unsolicited MFA requests).
- Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/ea550c99e5602f0428b0720d07438f3ed09fe11f0f8ece4b93214b0f5ead811a/iocs
Source:
- https://www.darktrace.com/blog/from-vps-to-phishing-how-darktrace-uncovered-saas-hijacks-through-virtual-infrastructure-abuse
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.