Cybercriminals Exploit Cheap VPS to Launch SaaS Hijacking Attacks

Darktrace researchers have discovered a new wave of attacks where cybercriminals use cheap Virtual Private Servers (VPS) to hijack business email accounts. Learn how these stealthy campaigns bypass security.

A new security report by Darktrace has revealed a concerning trend where cybercriminals are abusing cheap, easy-to-access cloud servers to carry out sophisticated attacks on business email systems. The research, which was shared with Hackread.com, reveals a substantial increase in these attacks since March 2025, with one provider, Hyonix, seeing a doubling in malicious activity.

Dark Trace’s research found that attackers are using a tactic called SaaS (Software-as-a-Service) hijacking. Instead of just stealing passwords, they are taking over email accounts while legitimate users are still logged in. This allows them to bypass traditional security tools and appear as if they are a trusted user.

****The Attack****

Once inside a business email account, the attackers try to stay hidden. They create subtle email rules with vague names to secretly redirect incoming messages, making it difficult for the user to notice anything is wrong. For example, they might automatically delete phishing emails from the sent folder to erase their tracks.

The attackers are able to carry this out by using Virtual Private Servers, or VPS, which is essentially a small, virtual slice of a larger server that anyone can rent online for a very low cost, such as the $5-a-month option from Hyonix. These services are fast to set up and give attackers a clean IP address, allowing their malicious traffic to blend in with normal business activity and get past security checks.

Darktrace’s investigation found that attackers also used other providers like Mevspace and Hivelocity. Moreover, they observed suspicious logins from distant locations that occurred just moments after a user’s legitimate login, after which attackers were also able to bypass Multi-Factor Authentication (MFA), a key security barrier. In one case, a remote access tool called SplashtopStreamer.exe was found, suggesting attackers were trying to gain a more permanent foothold to steal data.

The report highlighted two specific examples of these attacks. In the first case, attackers created hidden rules that automatically deleted emails related to invoice documents, likely to hide their tracks.

In another instance, multiple users had similar rules created, and attackers even attempted to change account recovery settings, showing an effort to maintain long-term access.

Both cases are explained by DarkTrace

The report concludes that organizations must move away from old security methods that rely on simple rules. Instead, they need systems that can learn and detect unusual behaviour, such as a user logging in from a new or strange location.

Jason Soroko, a Senior Fellow at Sectigo, commented on the findings, stating that attackers are now “renting trust.” He explained that with these cheap VPS providers, criminals can obtain a legitimate-looking network address, making their activity seem trustworthy. “The mailbox becomes the control plane,” Soroko added, noting that attackers are using subtle rules to control the account like a kind of “stealth policy.”