Cybercriminals are increasingly leveraging Virtual Private Server (VPS) infrastructure to orchestrate sophisticated attacks against Software-as-a-Service (SaaS) platforms, exploiting the anonymity and clean reputation of these hosting services to bypass traditional security controls.
A coordinated campaign identified in early 2025 demonstrated how threat actors systematically abuse VPS providers like Hyonix, Host Universal, Mevspace, and Hivelocity to compromise enterprise email accounts and establish persistent access to organizational systems.
The attack methodology centers on session hijacking techniques, where attackers utilize compromised credentials to log into SaaS accounts from VPS-hosted infrastructure.
.webp "Hackers Abuse VPS Servers To Compromise Software-as-a-service (SaaS) Accounts 3")
This approach allows malicious actors to circumvent geolocation-based security measures by appearing as legitimate traffic from trusted hosting providers.
The clean IP reputation associated with newly provisioned VPS instances enables attackers to evade conventional blacklist-based detection systems, making their activities blend seamlessly with normal business operations.
.webp "Hackers Abuse VPS Servers To Compromise Software-as-a-service (SaaS) Accounts 4")
Recent investigations spanning March through May 2025 revealed a surge in anomalous login activities originating from Hyonix’s Autonomous System Number (ASN AS931), with threat actors demonstrating remarkable consistency in their attack patterns across multiple victim environments.
Darktrace analysts identified suspicious activities including improbable travel scenarios where users appeared to access accounts simultaneously from distant geographical locations, indicating clear signs of credential compromise and session hijacking.
The campaign’s sophistication extends beyond initial access, incorporating Multi-Factor Authentication (MFA) bypass techniques through token manipulation and the systematic creation of obfuscated email rules designed to maintain stealth.
Attackers established persistence by creating inbox rules with minimal or generic names to avoid detection during routine security audits, automatically redirecting or deleting incoming emails to conceal their malicious activities.
Advanced Persistence and Evasion Mechanisms
The threat actors demonstrated advanced understanding of email security systems by implementing targeted inbox rule manipulation techniques that operate below the threshold of typical security monitoring.
The malicious rules specifically targeted emails containing sensitive organizational information, including communications from VIP personnel and financial documents.
Technical analysis revealed the use of MITRE ATT&CK technique T1098.002 (Exchange Email Rules) combined with T1071.001 (Web Protocols) for command and control operations.
Key indicators of compromise include IP addresses 38.240.42[.]160 and 194.49.68[.]244 associated with Hyonix infrastructure, alongside 91.223.3[.]147 from Mevspace Poland.
The attackers employed domain fluxing techniques for infrastructure resilience while maintaining operational security through carefully timed activities that coincided with legitimate user sessions, effectively masking their presence within normal business communications.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
