Virtual Infrastructure Abuse leads to SaaS Hijacks

Aug. 27, 2025, 7:43 p.m.

Description

This analysis examines a series of coordinated SaaS account compromises across multiple customer environments, involving suspicious logins from VPS-linked infrastructure followed by unauthorized inbox rule creation and deletion of phishing-related emails. The attackers leveraged virtual private servers (VPS) from providers like Hyonix to bypass geolocation-based defenses, evade IP reputation checks, and blend into legitimate traffic. Key tactics included session hijacking, inbox rule manipulation, and attempts to modify account recovery settings. The incidents highlight the growing abuse of VPS infrastructure in stealthy, scalable attacks targeting SaaS platforms.

External References

https://www.darktrace.com/blog/from-vps-to-phishing-how-darktrace-uncovered-saas-hijacks-through-virtual-infrastructure-abuse
https://otx.alienvault.com/pulse/68af30b8ad63da53c79e90c1
Tags
phishing
session hijacking
2025-08-27
hyonix
inbox rules
saas compromise
vps abuse

Date

  • Created: Aug. 27, 2025, 4:22 p.m.
  • Published: Aug. 27, 2025, 4:22 p.m.
  • Modified: Aug. 27, 2025, 7:43 p.m.

Attack Patterns