Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Coordinated VPS-enabled SaaS account compromise campaign

Campaign
First reported
Last updated
Happening score
H score 41
1 unique sources, 1 articles

Summary

Hide ▲

A VPS-enabled SaaS account compromise campaign is using commercial VPS infrastructure to hijack accounts across multiple customer environments, raising the risk of mailbox abuse and follow-on data exfiltration. The activity surfaced in March and continued through May, indicating a persistent operation rather than a one-off login event. Attackers used brute-force attempts, anomalous logins, and new inbox rules to blend in, hide malicious mailbox activity, and preserve access. The pattern also included possible spam distribution, showing the campaign can pivot from account takeover to broader abuse.

Related Happenings

Holiday-season phishing and stolen e-commerce login surge ahead of Black Friday

Target Trend
First: 26.11.2025 06:29 Last: 26.11.2025 06:29 Sources 1

About this happening: **Holiday-themed phishing** is intensifying against **e-commerce shoppers** ahead of **Black Friday** and **Christmas**, with defenders seeing **at least 750 malicious domains** r...

Open Happening

Timeline

  1. 21.08.2025 20:42 1 articles · 9mo ago

    May 19 VPS-linked login activity at a Darktrace customer

    Exploitation Observed

    At one affected organization on May 19, two internal devices initiated logins from rare IP addresses associated with Hyonix and Host Universal within minutes of legitimate user activity from distant geolocations, indicating improbable travel and likely session hijacking. After the successful login, the actor attempted to delete emails referencing invoice documents, consistent with phishing-email cleanup and account abuse.

    Show sources
    Open in new tab
  2. 21.08.2025 20:42 1 articles · 9mo ago

    Darktrace disclosure of coordinated VPS-enabled SaaS compromises

    Initial Disclosure

    Darktrace disclosed coordinated SaaS account compromises across multiple customer environments that used commercial VPS infrastructure from Hyonix, Host Universal, Mevspace, and Hivelocity. The disclosure tied the activity to a March spike in Hyonix-related alerts and described brute-force attempts, anomalous logins, successful multifactor authentications through token claims, and phishing-related inbox-rule creation, with possible spam distribution on one account.

    Show sources
    Open in new tab