Attackers are hijacking SaaS accounts through rented virtual private server nodes.
Malicious actors are increasingly hijacking software-as-a-service accounts via virtual private server exploitation to facilitate phishing attacks that evade IP reputation checks and geolocation defences.
According to a study from Darktrace and reported by SiliconANGLE, multiple endpoints associated with VPS provider Hyonix have been used by threat actors to conduct logins prior to creating inbox rules and removing phishing-related emails as part of one campaign.
Another campaign involved obfuscated inbox rule creation and attempted account recovery setting alterations following coordinated logins from various VPS providers, said researchers, who noted that disabled autonomous response hindered the tracking of both incidents' progress.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
