Security researchers have identified a new wave of cyber campaigns in which criminals rent inexpensive cloud servers to hijack business email accounts, a tactic that helps them bypass traditional security controls.
In a security report shared with Hackread, Darktrace notes a substantial uptick in these campaigns since March 2025, with one VPS provider, Hyonix, reporting a doubling of malicious activity. Darktrace investigation details how criminals exploit affordable infrastructure to stay under the radar.
The attackers employ a tactic described as SaaS hijacking, seizing control of email accounts while legitimate users remain logged in. This enables them to bypass some security tools and appear as trusted users, complicating detection and response.
Once inside, they attempt to remain hidden by creating subtle email rules with vague names that redirect or suppress messages. For example, they may automatically delete invoices-related emails to erase traces. They rely on VPS services to provide a clean IP address that blends in with normal business activity, aiding evasion of security checks.
Darktrace reported that attackers have used other providers such as Mevspace and Hivelocity, and observed suspicious logins from distant locations moments after a user’s legitimate login, sometimes bypassing Multi-Factor Authentication. In one case, a remote access tool called SplashtopStreamer.exe was detected, suggesting an effort to gain a more permanent foothold.
The report cites two concrete examples: hidden rules that delete invoice-related emails, and multiple users with similar rules attempting to alter account-recovery settings to maintain long-term access. The findings underscore the need for security systems that learn and respond to unusual behavior rather than relying solely on static rules. Jason Soroko, a Senior Fellow at Sectigo, described attackers as “renting trust” and said, “the mailbox becomes the control plane.”