Attackers Are Abusing Virtual Private Servers to Compromise SaaS Accounts — Here’s How They Do It and How to Stop Them

If you’ve ever relied on IP reputation, geofencing, or “trusted locations” to protect your SaaS stack, this one’s for you. Darktrace researchers recently uncovered a coordinated wave of SaaS account compromises coming from virtual private server (VPS) providers. The logins looked clean. The IPs were new. The timing mimicked real users. And once attackers got in, they quietly set up inbox rules, deleted evidence, and kept access long enough to launch phishing from within.

That’s the kind of campaign that slips past “good-enough” controls. And it’s becoming more common because the infrastructure is cheap, fast, and anonymous.

In this guide, I’ll break down how attackers weaponize VPS hosting to bypass common defenses, what the Darktrace team observed across multiple customer environments, and the exact steps you can take to detect, block, and evict them. If you’re thinking “we already have MFA,” you’re not wrong—but here’s why that might not be enough.

Let’s dig in.

What Is a VPS (and Why Attackers Love It)?

A virtual private server is a legitimate, widely used service. Businesses rent VPS instances to get dedicated resources and control without buying a physical server. Think of it like having your own apartment inside a larger building—you have your own door and utilities, even though you share the structure.

Now, why is it attractive to attackers?

• Clean IPs: Freshly provisioned VPS instances often have no bad reputation. IP-reputation tools shrug.
• Local lookalikes: Spinning up a VPS in your country or city helps bypass geolocation controls and “impossible travel” logic.
• Low OSINT footprint: Minimal public breadcrumbs make it harder to connect an IP to an attacker.
• Speed and scale: Providers like Hyonix and Host Universal offer rapid setup. That’s great for startups—and adversaries.
• Low cost: Commoditized cloud infrastructure keeps the bill low and campaigns repeatable.

As Darktrace researchers noted in their August 21 blog, these services are fast, affordable, and easy to automate—perfect for attackers who want to blend in and move quickly across many targets. You can read their posts and research here: Darktrace Blog.

For a broader look at attacker infrastructure, see MITRE ATT&CK’s technique on acquiring virtual private servers: MITRE ATT&CK T1583: Acquire Infrastructure.

Inside the Campaign: How SaaS Accounts Were Compromised via VPS

Darktrace investigated multiple incidents in May 2025 across customer environments. The pattern emerged quickly. Here’s the anatomy of what they observed:

1. VPS-origin Logins – Logins came from IPs linked to VPS providers, including Hyonix and Host Universal. – Many were “rare” for the users and the tenants—first-time-seen infrastructure.
2. Timing That Mimics Real Users – Some logins occurred minutes after legitimate user activity from distant geolocations. – This suggests session hijacking. In other words, attackers may have stolen tokens or cookies and took over active sessions.
3. Brute-Force and Phishing Signals – Alerts included brute-force attempts and anomalous logins. – Evidence tied accounts to downstream phishing activity.
4. Persistence via Inbox Rules – Attackers created mailbox rules with vague names to forward, redirect, or silently delete incoming emails. – These rules hid phishing activity and helped maintain access. – Similar rules were found across multiple users—indicating a shared playbook and infrastructure.
5. Covering Tracks – Emails referencing invoices were deleted from Sent Items, likely to hide phishing sent from the account.
6. Account Changes for Stickiness – Attempts to modify account recovery settings, reset passwords, or update security info were made from rare external IPs.
7. Coordinated, Not Noisy – No lateral movement was detected within SaaS tenants, but multiple devices and users mirrored the pattern. – This was targeted and persistent, not random spray-and-pray.

Here’s why that matters: these behaviors are easy to miss if your detection relies on static controls, coarse location rules, or inbox rule alerts that get lost in the noise. The sophistication is in the mimicry.

Why Traditional Defenses Fail Against VPS-Based Logins

It’s tempting to think “IP reputation + MFA + geofencing = safe.” But attackers are adapting faster than those policies can keep up.

• Geofencing and “trusted locations”: Attackers spin up a VPS in the same region as your users. Geo-based allowlists become unreliable.
• IP reputation: Clean, newly provisioned VPS addresses haven’t been flagged yet. Tools give them a pass.
• MFA isn’t a cure-all:
• MFA fatigue: Attackers spam push notifications until a user accepts.
• Phishing proxies: Adversaries phish credentials and MFA in real time through adversary-in-the-middle (AitM) kits, capturing valid session tokens.
• Session hijacking: Once a session cookie is stolen, attackers can bypass MFA unless you bind sessions to device context or continuously re-evaluate risk.
• “Impossible travel” blind spots: If attackers hijack a session, your system might not see a second login—it just sees continued activity on a “trusted” token.
• Inbox rule blind spots: Many organizations don’t alert on subtle mailbox changes. Vague rule names slip by.

Put simply, attackers are leveraging commodity cloud infrastructure to look like normal users, then using SaaS-native features for stealth and persistence.

Signals That Should Raise Your Eyebrows

Train your SOC, IT admins, and even help desk teams to notice the following:

• Logins from rare IPs tied to hosting providers or data centers (not consumer ISPs).
• Sign-ins minutes after legitimate user activity from far-off locations.
• New or modified mailbox rules with generic names that:
• Redirect to external addresses
• Delete or mark as read messages with invoice/payment keywords
• Hide replies or notifications about undeliverable emails
• Sudden deletion of Sent Items or high-volume purge activity
• Changes to account recovery methods or security info
• OAuth app grants to unfamiliar applications
• Password resets from rare IPs or at odd hours
• Users reporting unexpected MFA prompts (MFA fatigue attacks)

These clues, in combination, tell a story—even if each one alone might look benign.

How to Detect VPS-Based Account Compromise in SaaS

Good news: you can turn the tables with a few targeted investments and smart policies.

1. Enrich Sign-In Telemetry with Hosting/ASN Context – Tag IPs by autonomous system number (ASN) and hosting provider using services like ipinfo.io or MaxMind. Many label “hosting” or “data center” ranges. – Increase risk on logins from hosting providers and unfamiliar ASNs, even if the country matches. – Track first-seen IPs per user and tenant-wide baselines.
2. Use Continuous Access Evaluation and Session Controls – Don’t treat MFA as a one-and-done event. Continuously re-evaluate session risk and revoke tokens when risk changes. – Microsoft calls this Continuous Access Evaluation (CAE). Learn more: Continuous Access Evaluation.

3. Alert on Inbox Rule Changes and High-Risk Mail Flows – Create alerts for:

   • New inbox rules
   • Auto-forwarding to external domains
   • Rules with vague names or that hide or delete messages
   • Microsoft guidance on external forwarding: Best practices for external email forwarding.
4. Lock Down OAuth Consent – Restrict user consent to only verified, trusted apps. – Use admin consent workflows and review new grants regularly. – Microsoft guidance: Configure admin consent workflow.
5. Leverage Identity Risk Signals – Use built-in risk scoring from your IdP (e.g., Microsoft Entra ID, Google). – Trigger step-up auth or block on high-risk sign-ins, unfamiliar locations, or atypical devices.
6. Baseline Normal Behavior Per User – Behavioral analytics—even simple baselines—go a long way. – Alert on deviations in login times, source networks, and device types.
7. Monitor for Session Hijacking Patterns – Look for sudden changes in client IP or user agent mid-session. – Correlate sign-ins that closely follow legitimate activity from distant geographies.
8. Add SaaS-Specific Alerting in Google Workspace and Microsoft 365 – Google Workspace: enable alerts in the Admin console for suspicious logins, forwarding rules, and OAuth grants. More: Google Workspace Alert Center and Advanced phishing and malware protection. – Microsoft 365: use unified audit logs and Defender for Office 365 policies; follow Microsoft’s incident response playbook: Responding to a compromised email account.

Hardening: Practical Controls That Actually Help

Here’s a prioritized roadmap you can execute even with a small team.

1. Enforce Phishing-Resistant MFA – Prefer FIDO2/WebAuthn security keys or platform authenticators (Passkeys) over SMS or push-only methods. – Align with NIST SP 800-63B guidance: NIST 800-63B Digital Identity Guidelines. – Learn more about FIDO standards: FIDO Alliance.
2. Block Legacy Authentication – Disable basic auth and legacy protocols that bypass modern controls. – Microsoft guide: Block legacy authentication.
3. Conditional Access Based on Device and Risk – Require compliant or managed devices for high-value apps. – Trigger step-up authentication for unfamiliar locations or hosting provider IPs. – Consider policy exceptions only for well-justified service accounts.
4. Tighten Email and Collaboration Defaults – Disallow external auto-forwarding by default; make exceptions rare and audited. – Alert on creation of inbox rules and mail flow changes. – Apply anti-phishing policies that flag lookalike domains and invoice-themed lures.
5. Restrict OAuth App Consent – Only allow user consent for verified publishers and low-risk scopes. – Require admin approval for high-risk scopes (e.g., mail.read, offline_access).
6. Session Hygiene – Shorten token lifetimes for high-risk users and sensitive apps. – Use continuous access evaluation to revoke access when risk changes. – Bind sessions to device characteristics where possible.
7. Educate Users on MFA Fatigue and Phishing – Teach users to deny unexpected prompts and report them. – Simulate AitM phishing to expose weaknesses and improve training results.
8. Inventory and Monitor Admin Activity – Alert on changes to mailbox auditing, retention, and recovery settings. – Review admin sign-ins from hosting providers or unusual ASNs.
9. Data Loss and Abuse Controls – Monitor for spikes in outbound messages, especially to new domains. – Enable DLP for sensitive data to reduce exfiltration via email or cloud storage.
10. Threat Intelligence and IP Hygiene – Subscribe to feeds labeling hosting provider IPs and data centers. – Treat hosting ASNs as higher risk and require additional factors or device trust.

For broader government-backed best practices, use CISA’s guidance as a framework: CISA’s Shields Up and the SCuBA (Secure Cloud Business Applications) project recommendations: CISA SCuBA.

Response Playbook: What to Do When a SaaS Account Is Hit

When you suspect compromise, assume the adversary will pivot fast. Move faster.

1. Contain Access – Force sign-out across sessions for the user. – Revoke refresh tokens and reset the password. – Require a phishing-resistant factor enrollment if not already in place.
2. Clean the Mailbox – Enumerate and delete malicious inbox rules. – Search and purge malicious emails from Sent Items and mailboxes where possible. – Re-enable mailbox auditing and review audit logs if disabled.
3. Check Identity and Recovery – Verify and reset account recovery methods and security info. – Check for unauthorized MFA devices or phone numbers and remove them.
4. Investigate OAuth Grants and App Registrations – Revoke suspicious OAuth tokens and remove harmful app consent. – Block unverified or high-risk apps.
5. Hunt for Persistence – Review delegates, mail forwarding, and shared mailbox access. – Look for mailbox folder permission changes and hidden rules.
6. Timeline and Forensics – Correlate logins, rule creations, and email sends. – Map IPs to ASNs; note hosting providers involved.
7. Notify and Protect Users – Alert impacted users and recipients of phishing emails sent from the account. – Provide a clear reset and reporting path.
8. Close the Gap – Implement the hardening steps above—especially MFA upgrades, OAuth consent control, and inbox rule monitoring.

Microsoft offers a thorough playbook for Microsoft 365 tenants: Responding to a compromised email account. For Google tenants, start with Admin console investigations, token revocation, and stronger phishing protections: Advanced phishing and malware protection and OAuth 2.0 token revocation.

VPS-Specific Detection: Practical Heuristics That Work

You can’t block the entire internet. But you can make VPS-origin access more obvious and more expensive for attackers.

• ASN and Hosting Labels
• Tag sign-ins by ASN and mark known hosting providers.
• Raise authentication requirements for hosting ASNs (step-up auth or device trust).
• First-Seen and Rare-IP Logic
• Alert on first-time IPs per-user, especially if they’re also rare tenant-wide.
• Time-Adjacency to Real User Activity
• Look for sign-ins that occur within minutes of legitimate activity from a distant location.
• Add extra scrutiny if the session then creates inbox rules or changes recovery options.
• Behavioral Detections
• Flag unusual spikes in Sent Items and quick deletion afterward.
• Alert on rule names that are generic (e.g., “1,” “rule,” “update”), and actions that delete or forward “invoice,” “payment,” or “remittance” messages.
• External Forwarding
• Treat new external forwarding rules as high-risk events requiring immediate review.

These aren’t silver bullets, but together they give you a tighter net.

For Small Teams: A 7-Day, High-Impact Plan

If you need to move fast with limited resources, start here:

Day 1–2 – Block legacy authentication. – Disable external auto-forwarding by default. – Turn on alerts for inbox rule creation.

Day 3–4 – Restrict OAuth consent to verified publishers; enable admin consent workflow. – Enable advanced anti-phishing protections (M365/Google).

Day 5–6 – Enforce phishing-resistant MFA for admins and finance-related mailboxes first. – Shorten session/token lifetimes for sensitive apps.

Day 7 – Add IP enrichment to your SIEM and label hosting providers. – Create alerts for sign-ins from hosting ASNs and rare IPs per user.

Then iterate. Expand phishing-resistant MFA. Tighten conditional access. Review new OAuth grants weekly.

Key Takeaways for Security and IT Leaders

• VPS infrastructure helps attackers look local, clean, and normal. That undermines IP reputation and geofencing.
• The current wave targets SaaS accounts with subtlety: inbox rules, session hijacking, careful timing, and minimal noise.
• MFA is necessary but not sufficient. Aim for phishing-resistant MFA and continuous session risk evaluation.
• You can catch these attacks by enriching sign-in telemetry, monitoring inbox rules, tightening OAuth consent, and using behavioral baselines.
• Have a fast, repeatable response playbook: revoke tokens, clean mailboxes, reset recovery, and notify recipients.

If you found this helpful, consider sharing it with your team or peers. Staying ahead of these tactics is a team sport—and the playbook evolves quickly.

FAQ: VPS Abuse and SaaS Account Compromise

Q: What’s the difference between a VPS and a VPN? – A VPS is a virtual private server—a compute instance you rent in the cloud with its own IP address. A VPN is a virtual private network—an encrypted tunnel that routes your traffic through a server. Attackers use VPS to host infrastructure and originate logins with “clean” IPs; they may also use VPNs to hide their own location.

Q: How do attackers use VPS to bypass defenses? – They spin up servers close to the victim’s region to pass geolocation checks, use fresh IP addresses to avoid reputation blocks, and log in at times that mimic real users. Combined with stolen tokens and inbox rule persistence, this makes detection hard.

Q: Is MFA enough to stop these attacks? – Not always. Attackers can phish MFA in real time, fatigue users with push prompts, or hijack active sessions (pass-the-cookie). Phishing-resistant MFA (FIDO2/WebAuthn) and continuous session risk evaluation are far stronger than SMS or push-only MFA. See NIST guidance: SP 800-63B.

Q: What are the most reliable signs my SaaS account is compromised? – Look for: – New inbox rules, especially ones that delete or forward messages – Unexpected external forwarding – Logins from rare or hosting-provider IPs – Deletions from Sent Items after a phishing send – Changes to recovery methods or MFA devices – New OAuth app grants with broad permissions

Q: How can I block or limit VPS-origin logins? – You can’t block all VPS IPs safely, but you can: – Require step-up auth or managed devices for logins from hosting ASNs – Use risk-based conditional access and continuous access evaluation – Monitor and alert on first-seen IPs and data center ranges – Combine with phishing-resistant MFA for sensitive apps and roles

Q: Are inbox rules really that dangerous? – Yes. They’re a favorite persistence and evasion technique. Rules can silently redirect or delete messages, hide mail delivery errors, and keep attackers informed while users stay unaware. Set alerts for rule creation and review changes quickly.

Q: What is session hijacking in SaaS, and how does it happen? – Session hijacking occurs when an attacker steals a valid session token (often via phishing proxies, malware, or insecure endpoints) and uses it to access the account without redoing MFA. Counter with token binding, continuous access evaluation, and device-based conditional access.

Q: We use Microsoft 365/Google Workspace. What should we do today? – Microsoft 365: Block legacy auth, enable Defender policies, enforce phishing-resistant MFA for admins, restrict OAuth consent, and follow this incident response guide: Responding to a compromised email account. – Google Workspace: Enable advanced phishing protection, restrict third-party app access, configure alerts for forwarding and OAuth grants, and revoke suspicious tokens: Advanced phishing and malware protection and Token revocation.

Q: Are VPS providers to blame? – VPS is a legitimate service. The issue isn’t the technology—it’s abuse by attackers. Your goal isn’t to ban VPS outright; it’s to treat data center-origin access as higher risk, add friction where needed, and verify device and identity context more rigorously.

Q: Where can I learn more about attacker infrastructure and tradecraft? – MITRE ATT&CK’s infrastructure techniques: T1583: Acquire Infrastructure – CISA’s practical cloud security and resilience guidance: CISA SCuBA and Shields Up – Ongoing research and case studies: Darktrace Blog

Final thought: The perimeter is your identity. Attackers know it—and they’re renting VPS by the hour to blend in. Shift from static checks to continuous, risk-aware controls, and you’ll catch the next attempt before it becomes an incident.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring! 

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Read more related Articles at InnoVirtuoso

• How to Completely Turn Off Google AI on Your Android Phone
• The Best AI Jokes of the Month: February Edition
• Introducing SpoofDPI: Bypassing Deep Packet Inspection
• Getting Started with shadps4: Your Guide to the PlayStation 4 Emulator
• Sophos Pricing in 2025: A Guide to Intercept X Endpoint Protection
• The Essential Requirements for Augmented Reality: A Comprehensive Guide
• Harvard: A Legacy of Achievements and a Path Towards the Future
• Unlocking the Secrets of Prompt Engineering: 5 Must-Read Books That Will Revolutionize You