Research from Darktrace reveals an attack campaign in which malicious actors are exploiting Virtual Private Server (VPS) infrastructure. By doing so, cybercriminals can compromise the business email systems of multiple organizations. 

In the observed incidents, the threat actors utilized anonymous VPS hosting services to take over email sessions while users were still logged in. Since these attacks are designed to coincide with legitimate activity, the malicious actors can bypass many traditional security measures. 

Jason Soroko, Senior Fellow at Sectigo, comments, “Attackers now rent trust. Five dollar VPS nodes buy entry to your allow list and they accomplish this by getting a clean ASN and fresh IP making traffic feel like a trusted source, not a criminal. In this case, the adversary is riding live sessions and no longer just harvesting passwords. The mailbox becomes the control plane. Vague rules act like a kind of stealth policy.”

“Concurrency, sequence, and locality must line up. If they do not, you must have a way to freeze the session, not the user. Make inbox rules visible, named, and attested. Alert on rule churn the way you alert on privilege churn. Score infrastructure by volatility and provenance, not brand. Expect remote tools to appear where they never should and block by context. Autonomous containment is a governance choice that decides outcomes. In this campaign, the absence of it gave the intruders time, which is the adversary’s most important currency.”

J Stephen Kowski, Field CTO at SlashNext Email Security+, adds, “The playbook isn’t new — it’s the same old tricks as you would see on a desktop: changing inbox rules, stealing tokens, resetting passwords, and cleaning up tracks. The only twist is that it’s happening on a rented cloud desktop, which makes the activity blend in with normal traffic a slightly differently. The real issue is the first break-in — usually stolen logins, hijacked sessions, weak MFA, or a malicious app link. That’s where tools that watch sessions in real time, catch phishing across channels, block shady app approvals, and roll back mailbox tampering shut it down before that cloud desktop turns into a launchpad.”