Hackers Utilize Virtual Private Servers to Intrude SaaS Accounts

In a recent blog post published on August 21, Darktrace researchers have raised alarm bells about a series of targeted and persistent attacks on Software-as-a-Service (SaaS) accounts. These attacks, which were observed predominantly in May 2025, have been linked back to various Virtual Private Server (VPS) providers, including Hyonix, DigitalOcean, Vultr, Linode, and Host Universal.

The attacks appear to be meticulously planned, often timed to coincide with legitimate user activity. The threat actors are using these VPS providers to compromise SaaS accounts, after which they proceed to conduct follow-on phishing attacks.

One of the tactics employed by the threat actors is the deletion of emails referring to invoice documents from the 'Sent Items' folder, suggesting an attempt to hide phishing emails that had been sent from the compromised account. Additionally, suspicious SaaS activities have been observed, such as the creation of new email rules with vague or generic names, likely to reduce the likelihood of detection while quietly redirecting or deleting incoming emails.

The compromises were observed across multiple customer environments and involved logins from IP addresses linked to various VPS providers. In one case, internal devices on a customer environment initiated logins from rare external IPs associated with VPS providers Hyonix and Host Universal, indicating session hijacking had occurred. On some accounts, attempts to modify account recovery settings were observed, while on others, the attacker reset passwords or updated security information from rare external IPs.

Notably, three users had near identical similar inbox rules created, while another user had a different rule related to fake invoices, reinforcing the likelihood of a shared infrastructure and technique set.

The use of VPS providers in these attacks is particularly concerning due to their fast deployment and affordable nature, making them attractive to attackers seeking anonymous, low-cost infrastructure for scalable campaigns. Furthermore, VPS providers like Hyonix and Host Universal offer rapid setup and minimal open-source intelligence (OSINT) footprint, making detection difficult.

Darktrace's investigative report urges organisations to remain vigilant and to implement robust security measures to protect their SaaS accounts from such attacks. The report also emphasises the importance of monitoring user behaviour and network traffic for any unusual activities that could indicate a compromise.