A new report out today from Darktrace Ltd. details how attackers are exploiting virtual private servers to compromise software-as-a-service accounts, launch phishing campaigns and evade detection.

The company’s Inside the SOC report details coordinated incidents across customer environments, underscoring how virtual infrastructure abuse is reshaping the threat landscape for cloud and enterprise users.

According to Darktrace, VPS abuse is growing because it provides attackers with fast, low-cost and anonymous infrastructure that can mimic legitimate behavior. Providers such as Hyonix Inc. and Host Universal LLC are noted in the report as allowing rapid setup with limited verification and, in doing so, creating opportunities for malicious actors to bypass geolocation defenses and IP reputation checks.

In one case, Darktrace observed suspicious logins from Hyonix-linked endpoints followed by inbox rule creation and deletion of phishing-related emails. The activity coincided with legitimate user sessions from distant geolocations, indicating session hijacking. The attackers were also found to have then removed evidence of phishing attempts to avoid detection.

In another case involving a customer environment, Darktrace researchers observed coordinated logins from multiple VPS providers preceded the creation of obfuscated inbox rules. These were followed by attempts to modify account recovery settings, suggesting a persistent and organized campaign.

The activities were mirrored across different user accounts, with nearly identical inbox rules targeting financial or document-related communications. According to the researchers, the uniformity points to a broader campaign designed to hijack accounts and conceal malicious emails while attackers maintain persistence.

There was one commonality across the observed attacks: Autonomous response was not enabled in the impacted environments, allowing the attacks to progress unchecked. Darktrace argues that automated containment actions, such as blocking connections from unusual VPS endpoints, could have disrupted the compromises at an early stage.

By learning what is normal for each user and device, Darktrace’s AI was able to surface subtle anomalies that traditional, rule-based security systems may have missed.

“Threat actors are increasingly leveraging these affordable and anonymous hosting services to hijack accounts, launch phishing attacks and manipulate mailbox configurations, often bypassing traditional security controls,” the report concludes.

Jason Soroko, senior fellow at certificate lifecycle management company Sectigo Ltd., told SiliconANGLE via email that “attackers now rent trust” and that “five-dollar VPS nodes buy entry to your allow list and they accomplish this by getting a clean autonomous system number and fresh IP making traffic feel like a trusted source, not a criminal.”

“In this case, the adversary is riding live sessions and no longer just harvesting passwords,” Soroko added. “The mailbox becomes the control plane. Vague rules act like a kind of stealth policy.”

J Stephen Kowski, field chief technology officer at SlashNext Email Security+, commented that “the playbook isn’t new, it’s the same old tricks as you would see on a desktop: changing inbox rules, stealing tokens, resetting passwords and cleaning up tracks. The only twist is that it’s happening on a rented cloud desktop, which makes the activity blend in with normal traffic slightly differently.”

Image: SiliconANGLE/Reve