Threat actors frequently use VPN/VPS providers to mask their location when attempting to breach your threat surface.
A VPN (https://en.wikipedia.org/wiki/Virtual_private_network) or VPS (https://en.wikipedia.org/wiki/Virtual_private_server) will likely be used to initiate a phishing campaign where they will attempt to collect login credentials, or can also be used to attempt brute force login attempts. Once credentials have been obtained a VPN/VPS will then be used to breach your threat surface.
Field Effect maintains its own database of suspicious VPN/VPS IPs incorporating detections from the Field Effect solution as well as external resources such as ip2location.com.
Authentication attempts made from suspicious IPS may be an indication of an account compromise, especially if the activity cannot be attributed to the intended user. This alert will let you know which account was used to connect to which service, from where the connection was made and which VPN/VPS service was used.
If the activity is known to the flagged user, the ARO can be dismissed to prevent further reporting. However if the activity is not known we recommend the credentials for the affected account be changed along with ensuring Multi-Factor Authentication (MFA) is enabled.
We also recommend confirming with the user if they received such and email. If such an email exists please submit the email to our Suspicious Email Analysis Service (SEAS).
You can also use resources such as https://abuseipdb.com to check the reputation of the IP and see if it has been used as the source of a phishing campaign from which the indicated user may have been a victim.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article