This analysis examines a series of coordinated SaaS account compromises across multiple customer environments, involving suspicious logins from VPS-linked infrastructure followed by unauthorized inbox rule creation and deletion of phishing-related emails. The attackers leveraged virtual private servers (VPS) from providers like Hyonix to bypass geolocation-based defenses, evade IP reputation checks, and blend into legitimate traffic. Key tactics included session hijacking, inbox rule manipulation, and attempts to modify account recovery settings. The incidents highlight the growing abuse of VPS infrastructure in stealthy, scalable attacks targeting SaaS platforms.