Hackers Weaponize VPS to Breach SaaS Accounts
▼ Summary
– Threat actors are using virtual private servers (VPS) to compromise SaaS accounts by mimicking local traffic and evading IP reputation checks.
– Compromised accounts were used for follow-on phishing attacks, with attackers deleting emails and creating inbox rules to hide malicious activity.
– Attackers timed their logins to coincide with legitimate user activity, making detection difficult for traditional security tools.
– Specific VPS providers like Hyonix and Host Universal were identified as being abused due to their rapid setup, low cost, and minimal OSINT footprint.
– The attacks were targeted and persistent, with evidence of coordinated campaigns across multiple user accounts but no lateral movement detected.
Cybersecurity experts have identified a concerning trend where malicious actors exploit virtual private servers (VPS) to gain unauthorized access to software-as-a-service (SaaS) platforms. A recent investigation reveals that threat groups are systematically using VPS infrastructure to bypass conventional security measures, enabling them to compromise business accounts and launch secondary attacks with increased stealth and persistence.
These intrusions often begin with logins originating from IP addresses tied to commercial VPS providers. By using these services, attackers effectively disguise their activities as legitimate local traffic, sidestepping geolocation filters and reputation-based defenses. The use of freshly provisioned servers with minimal historical data makes it exceptionally difficult for automated security systems to flag these connections as suspicious.
Providers such as Hyonix and Host Universal have become popular among threat actors due to their rapid deployment, low cost, and limited open-source intelligence footprint. This combination allows attackers to operate anonymously while scaling their campaigns efficiently. What makes these intrusions particularly dangerous is their timing, many occur concurrently with normal user activity, rendering traditional monitoring tools ineffective.
In several documented cases from May 2025, attackers used brute-force attempts and anomalous login behavior to gain entry. Once inside, they engaged in activities like deleting sent emails related to invoices, a clear effort to conceal phishing efforts launched from the hijacked account. In some instances, malicious inbox rules were created under deliberately vague names, allowing attackers to silently reroute or delete messages without alerting the legitimate user.
The consistency of these actions across multiple accounts suggests a highly coordinated operation. Some attackers even attempted to modify account recovery settings or reset passwords from unfamiliar external IPs, indicating an intent to maintain long-term access. While lateral movement was not observed, the replication of tactics across user devices points to a shared infrastructure and methodology.
This wave of attacks underscores the need for organizations to adopt behavioral analytics and anomaly-based detection systems. Relying solely on IP blacklists or geographic blocking is no longer sufficient. As attackers continue to leverage easily accessible cloud infrastructure, defenders must focus on detecting subtle deviations in user behavior rather than relying on outdated indicators of compromise.
(Source: InfoSecurity Magazine)