Cybercriminals Exploit Virtual Private Servers to Infiltrate Business Email Systems

Recent research from Darktrace's email security analysis has uncovered a sophisticated attack campaign where cybercriminals are leveraging Virtual Private Server (VPS) infrastructure to compromise corporate email systems while evading detection.

The attacks represent a significant evolution in business email compromise techniques and attack patterns, allowing threat actors to hijack active email sessions through anonymous VPS hosting services, effectively bypassing traditional security measures by blending in with legitimate user activity.

Attack Methodology and Infrastructure

The cybercriminals utilize low-cost VPS nodes to gain entry to organization allow lists by obtaining clean Autonomous System Numbers (ASNs) and fresh IP addresses. This approach helps their traffic appear legitimate rather than malicious.

Jason Soroko, Senior Technology Officer at Sectigo, explains: "Attackers now rent trust. The adversary is riding live sessions and no longer just harvesting passwords. The mailbox becomes the control plane."

Rather than focusing solely on password theft, the attackers exploit concurrent user sessions to:

• Modify inbox rules
• Steal security tokens
• Reset passwords
• Remove evidence of their activities

Advanced Detection and Prevention Strategies

J Stephen Kowski, Field CTO at SlashNext Email Security+, notes that while the tactics aren't entirely new, the use of secure remote access through cloud infrastructure creates unique challenges for detection. "The critical vulnerability lies in the initial compromise — usually stolen logins, hijacked sessions, weak MFA, or a malicious app link," he explains.

Security experts recommend several essential preventive measures:

• Implementing real-time session monitoring
• Making inbox rules visible and verified
• Alerting on rule changes similar to privilege modifications
• Scoring infrastructure based on volatility and provenance
• Blocking remote tools in unauthorized contexts
• Deploying autonomous containment systems

Implementation and Security Framework

Organizations must establish comprehensive network security protocols for remote connections while focusing on session monitoring and rule change alerts. This includes:

1. Organizations should review their email security protocols, particularly focusing on session monitoring and rule change alerts

2. IT teams should implement infrastructure scoring systems that consider volatility and provider reputation rather than just brand names

3. Security administrators should ensure visibility into inbox rules and establish clear governance policies for autonomous containment

The campaign highlights the evolving nature of email security threats and the importance of maintaining robust, context-aware security measures that can identify and respond to sophisticated attack patterns in real-time.