Description
This detector identifies the use of an encrypted network tunnel to route user traffic through a virtual private network (VPN). Rather than treating all VPN usage uniformly, the detector classifies VPN connections based on provider type, infrastructure characteristics, and reputation signals.
VPN usage is categorized into several broad classes, each carrying different risk implications:
Attack-favored VPN services
High-anonymity commercial VPN providers that are disproportionately used by threat actors due to minimal logging policies, resilience to takedown, or accessibility from restricted regions.
Consumer and private VPN services
Widely used commercial VPNs employed by the general public for privacy, remote access, or bypassing content restrictions.
Enterprise-managed VPN infrastructure
Corporate VPN solutions operated and managed by organizations, such as secure access gateways or device-based tunnels. These connections are generally tied to a specific enterprise environment and are typically associated with lower risk when they align with known organizational usage.
Relevance to Social Engineering Attacks
VPNs play a central role in enabling attackers to establish technical plausibility that supports social engineering narratives. By controlling where traffic appears to originate, attackers can reinforce false claims of identity or location.
Common attacker use cases include:
Geographic alignment with victim profiles
Attackers impersonating employees frequently select VPN exit nodes located in the same city or region as the victim. When technical logs reflect the expected location, help desk agents and automated systems are less likely to suspect impersonation.
Bypassing perimeter-based access controls
Many organizations restrict access to administrative interfaces or sensitive systems to traffic originating from internal networks or approved VPN ranges. After stealing credentials, attackers use VPN access to circumvent these controls and appear as legitimate internal users.
Provider reputation as a risk signal
Certain VPN providers are strongly associated with malicious activity. Detection of traffic originating from such providers can serve as a high-confidence indicator of elevated risk, particularly when correlated with other behavioral or device-level anomalies.
Examples of Detected VPN Providers
This detector is effective against a broad spectrum of VPN services, including:
High-risk or attack-favored VPN providers
Astrill VPN, Mullvad, Perfect Privacy.
Consumer and private VPN services
NordVPN, ExpressVPN, Surfshark.
Enterprise VPN solutions
Zscaler, Palo Alto GlobalProtect, Cisco AnyConnect.
Notable Incidents and Threat Actors
North Korean IT Worker operations and the Lazarus Group
Intelligence from recent years indicates extensive use of Astrill VPN by North Korean operators, including so-called “fake IT workers” and Lazarus Group subgroups, to conceal true locations while applying for remote roles or accessing compromised infrastructure.
Scattered Spider (UNC3944)
Frequently observed using commercial VPN services to align IP geolocation with the physical location of the victims they impersonate during SIM swap attacks and help desk–driven social engineering.
Akira Ransomware
Known for leveraging compromised credentials to gain initial access through corporate VPNs, often following successful social engineering campaigns.