New Data Center Observed in Widespread AitM Attack Campaign
A data center in Tampa is the backbone of a new wave of AitM phishing campaigns we've observed. Here's what you need to know and how to block it.
A New Week, A New AitM Campaign.
Several weeks ago, we published a guide on how to block logins from a data center frequently used in AitM attacks.
Now, a new datacenter is active.
Across multiple tenants, we’ve seen malicious logins originating from a Tampa-based data center, often followed by an attacker pivot to proxy infrastructure.
Tampa First, Proxy Later
Here’s an anonymized timeline.
Note that the attacker begins in the Tampa datacenter, then quickly shifts to a proxy IP in New Jersey.
This is a common post-exploitation pattern in AitM attacks: the attacker uses static infrastructure to gain initial access, then pivots to different proxies to obfuscate their malicious behavior and evade detection.
IP Range to Block
Because Microsoft’s reported location data is often unreliable, we recommend blocking attacker infrastructure by hardcoding malicious IP ranges—not relying on geolocation.
The Tampa-based range we’re seeing in this new attack campaign is:
2604:4500:0006::/48(AS29802 HIVELOCITY, Inc.)
For more details on how to set up a conditional access policy to block this IP range, check out our previous blog here.
Takeaway: Infrastructure Rotates. Attacker Patterns Don’t.
Attackers frequently rotate infrastructure. But patterns persist: the attacker logs in from a static cloud data center, then pivots to dynamic proxies to cover their tracks.
The reason for this is simple: the attacker’s goal is to maintain persistence and either (1) continue to extract value from that organization or (2) use the compromised account to phish another organization.
By pivoting infrastructure, the attacker creates a new trail that defenders might overlook — buying themselves more time in the environment.
We’ve seen this static cloud datacenter → dynamic proxy pivot before with Arizona-based infrastructure (Global Connectivity Solutions LLP, Global Internet Solutions LLC). Now it’s Tampa.
We’re able to catch these shifts quickly because we track attacker behavior across so many environments in real-time. Our detection engine learns from each campaign and quickly adapts.
We’ll continue to publish threat advisories like this one as we see new infrastructure come online.
If you’re an IT admin and you take anything away from this post, it should be to immediately block this IP range:
2604:4500:0006::/48(AS29802 HIVELOCITY, Inc.)
If you want to stay ahead of these attackers and keep them out of your M365 environments, connect with me on LinkedIn or reach out at [first name] [at] petrasecurity.com.