VPN abuse
Adversaries consistently abuse virtual private networks when attempting to compromise identities, but distinguishing this behavior from authorized employee use is not so simple.
Virtual private networks (VPN) allow adversaries to conceal the origin of their IP space, often in an attempt to make it appear as if they are logging into an account from an expected location. This allows them to circumvent network and identity-based controls that would otherwise block login attempts from unusual internet service or hosting providers, IP ranges, and geolocations.
Likewise, in theory, the use of a VPN should be an equally obvious signal that a login is suspicious. Fortunately for defenders, many identity providers and other widely available resources help security teams surface VPN use. Unfortunately, our data shows that legitimate users also frequently log into corporate assets from behind a VPN, intentionally or not.
VPN abuse in 2024
Across our dataset of confirmed threat detections targeting email systems, adversaries most commonly abused the following VPN products:
- Private Internet Access VPN
- CyberGhost VPN
- ExpressVPN
- NordVPN
We chose to limit our analysis to email threats for convenience sake, but these are very likely among the top VPNs that adversaries are abusing in intrusions across identities, endpoints, the cloud, and other SaaS applications. The reason for that is simple: These are also among the most popular consumer VPNs on the market and in use across our customers.
Interestingly, when we surveyed our data set for VPN usage generally (i.e., not limited to VPNs we associated with confirmed threat detections), organizations in the educational services sector accounted for 63 percent of all VPN use. This is despite the fact that organizations in the educational services sector make up a relatively small fraction of our overall customer base.
Educational institutions accounted for more than 60 percent of all VPN use observed in our dataset.
Ultimately, organizations’ approaches to VPN use vary widely. As is the case with potentially unwanted programs (PUP), some companies care deeply about them, want to know who’s using them, and take measures to prevent their use. Others do not care whatsoever and make no effort to limit their use.
Our official stance as security practitioners is that organizations should attempt to limit unsanctioned VPN usage in their environment so that VPN abuse is rare and therefore a potentially useful signal for identifying suspicious logons and other activity.
Prevention and mitigation
Establishing policies and employee awareness
Minimizing the illegitimate use of VPNs in corporate environments starts with clear and enforceable policies. Organizations should explicitly outline acceptable use cases, prohibit personal or unauthorized VPNs, and provide secure, corporate-approved alternatives such as zero-trust remote access or corporate VPN solutions.
Employee education is equally important, as it helps employees understand the risks associated with personal VPN use, including how it can obscure malicious activity and compromise the organization’s security. Awareness programs should highlight safe access practices and emphasize the importance of adhering to corporate policies.
Implementing technical controls
To prevent and mitigate VPN abuse, organizations should implement a multi-layered technical control strategy that integrates network, endpoint, and identity-based protections. This starts with IP and Autonomous System Number (ASN) allowlisting and blocklisting to restrict access to untrusted IP ranges while using up-to-date threat intelligence feeds to block known consumer VPN services. Network-level controls, such as DNS filtering, can further prevent users from installing or connecting to unauthorized VPN services.
A robust device-trust model, enforced through identity and access management (IAM) or mobile device management (MDM) solutions, ensures that only compliant, corporate-managed devices can access sensitive resources. Conditional access policies (CAP) can require additional authentication checks when VPN usage is detected or block access entirely based on risk signals. These tools can be used to manage browser extensions and prevent the installation of freemium VPN services from sources like the Chrome Web Store.
Lastly, deploying phishing-resistant authentication mechanisms like FIDO2 or WebAuthn adds an extra layer of protection against credential compromises originating from VPN egress points. By combining these network, endpoint, and identity-based controls, organizations can significantly reduce unauthorized VPN usage while maintaining secure remote access for legitimate users.
Behavioral baselines and detection
Detecting and mitigating VPN abuse requires building robust behavioral baselines at both the corporate and user/systems level. Security teams should monitor typical access patterns—including locations, IP addresses, internet service providers, and access times—to identify deviations that may indicate malicious activity. Workflows should include fingerprinting VPN usage by analyzing known VPN IP ranges, user-agent properties, and unusual access behaviors like frequent IP hopping, connections from high-risk geographies, or hosting providers commonly associated with adversaries.
Developing the ability to reliably detect VPN abuse can be difficult, relying on relatively esoteric signals from your networking security tools or an identity provider. It can also be prone to false positives depending on how prevalent VPN use is across your environment. However, the following pseudo-detection analytics should work as a good starting point for organizations to start developing the ability to detect or at least gain awareness of suspicious VPN activity.
Anomaly-based approach
The following is a good way to start looking for unusual VPN logins but may require a security team to develop automated investigation techniques. It’s going to look for successful logins from a public IP address where the IP is rare for the organization and infrequently used within a 30-day window for that user:
Login_succeeded?
&&
source_ip_public
&&
rare_isp_organization(percentile_threshold: 10, frequency_threshold: 0.015, within: 30.days, user_only: true)Again, the following will look for successful logins from public IP ranges. However, this analytics will trigger on logins containing known bad user-agent strings:
Login_succeeded?
&&
source_ip_publlic
&&
logon_attempt_property_includes_any?(property_path: 'resulting_logon_session.user_agent', strings: ['evil_user_agent_strings'])Using statistical methods
There are also statistical based methods that security teams can use to detect potentially suspicious logins, which are described in depth in this brute force attacks blog.
Testing for malicious and suspicious VPN usage can be tricky, but the following Atomic Red Team test is probably the best available for validating your ability to root out potential VPN abuse:
Generically, the following following resource from Microsoft is a great resource for testing the TTPs we see resulting from VPN usage:
Security gaps? We got you.
Get curated insights on managed detection and response (MDR) services, threat intelligence, and security operations—delivered straight to your inbox every month.