Cybersecurity company Darktrace has discovered a coordinated hacking campaign targeting SaaS accounts across several customer environments. The attacks, which happened in May 2025, involved suspicious logins from virtual private server (VPS) providers, followed by unauthorized changes to email inbox rules and the deletion of phishing-related emails.
Attackers used VPS services, mainly from providers like Hyonix and Host Universal, to hide their true locations and appear as legitimate users. This helped them bypass security systems that rely on IP reputation and geolocation. VPSs are commonly used by businesses, but cybercriminals can exploit them to blend in with normal traffic.
In several cases, logins from these VPS-linked IPs happened just minutes after real users logged in from remote locations, suggesting that the attackers hijacked active sessions. Once inside the accounts, they deleted emails related to fake invoices and set up new inbox rules with vague names to redirect or hide future phishing messages.
Darktrace also saw signs of attackers trying to reset passwords or change security settings from unusual IP addresses. Although no signs of spreading within the affected networks were found, the same suspicious behavior was seen across multiple user devices, pointing to a coordinated campaign.