This analysis examines a series of coordinated SaaS account compromises across multiple customer environments, involving suspicious logins from VPS-linked infrastructure followed by unauthorized inbox rule creation and deletion of phishing-related emails. The attackers leveraged virtual private servers (VPS) from providers like Hyonix to bypass geolocation-based defenses, evade IP reputation checks, and blend into legitimate traffic. Key tactics included session hijacking, inbox rule manipulation, and attempts to modify account recovery settings. The incidents highlight the growing abuse of VPS infrastructure in stealthy, scalable attacks targeting SaaS platforms. Author: AlienVault
Related Tags:
saas compromise
inbox rules
session hijacking
hyonix
T1556.004
T1098.002
T1566.001
T1098
T1556
Associated Indicators:
194.49.68.244
38.240.42.160
38.255.57.212
103.211.53.84
103.131.131.44
178.173.244.27
51.36.233.224