Seeing Through the Tunnel: Leveraging SIEM  Detections to Expose Malicious SSL VPN Authentications 

The Blackpoint SOC is seeing a sharp and sustained increase in threat actors targeting corporate networks through SSL VPN as their primary entry point. The attack pattern is consistent: a threat actor compromises a VPN user account, uses that foothold to access the network, and immediately begins moving toward high-value systems such as File Servers, Hyper-V hosts, and Domain Controllers. 

What makes this threat particularly alarming is the speed at which the attack unfolds alongside the fact that the threat actor assumes the identity of the legitimate user. Blackpoint has observed incidents where attackers moved from initial VPN access to critical infrastructure in a matter of minutes. In many cases, threat actors arrive already knowing the network layout, allowing them to bypass reconnaissance entirely and move straight to their targets. Once there, the typical endgame is a double extortion attack: data is stolen and the business is threatened first, followed by a second wave of encryption that can bring operations to a halt. 

Staying ahead of this attack chain requires more than reactive defense. It requires visibility at the earliest possible moment. The Blackpoint platform’s SIEM detection capabilities, now extended to ingesting SonicWall and other SSL VPN authentication logs, give the Blackpoint SOC the ability to flag malicious authentication at the moment they occur. This development gives the Blackpoint SOC earlier signal into authentication activity, enabling analysts to identify and act on suspicious access before an attacker ever gets the chance to move laterally through a network. 

Key Takeaways 

• SSL VPNs are a primary target. Threat actors are actively and consistently exploiting SSL VPN credentials as their preferred method of gaining initial access into corporate networks. 

• Speed is the defining factor. Attackers are moving from initial VPN access to critical systems in minutes, leaving little room for traditional detection and response methods to keep up. 

• High-value systems are the immediate objective. Once inside, threat actors prioritize Domain Controllers and File Servers, meaning a single compromised VPN account can quickly escalate into an organization-wide crisis. 

• Attackers often arrive prepared. Many threat actors already have a map of the target network before they even log in, allowing them to skip reconnaissance and strike directly at critical infrastructure. 

• Double extortion is the new standard. Businesses are no longer just facing encryption. Attackers are stealing data first and using it as additional leverage, compounding both financial and reputational damage. 

• Earlier visibility changes the outcome. By ingesting SSL VPN authentication logs, the Blackpoint SOC gains the earliest possible signal of a potential intrusion, enabling analysts to intervene before an attacker can establish a foothold. 

KillChain 

One Account, One Open Door 

In this incident, the Blackpoint SOC identified a compromised user account authenticating into a client environment through a SonicWall SSL VPN.  The Blackpoint’s SIEM detection logic immediately flagged the authentication, which originated from a Virtual Private Server (VPS) hosted by Vultr Holdings, LLC, an attacker-controlled infrastructure commonly used to route malicious traffic through domestic IP addresses, making the login appear legitimate and difficult to distinguish from normal access activity. 

What followed painted a clear and alarming picture of just how fast a modern intrusion can escalate. Within seven minutes of that initial authentication, the threat actor had already begun scanning the internal network and attempting to move laterally toward high-value systems. Seven minutes. That is the entire window between an attacker logging in and actively working to compromise critical infrastructure. 

This timeline is not an outlier. It is the new normal, and it underscores a critical reality for organizations of every size. The moment a threat actor clears authentication, the clock starts. Without SIEM visibility at that initial login event, by the time suspicious activity is detected the attacker has already had minutes, sometimes longer, to orient themselves and begin moving toward the most sensitive parts of the network. 

Because this tenant had integrated their SSL VPN logs with the Blackpoint platform, the SOC’s SIEM detections were positioned to act at the earliest possible moment, well before the threat actor could establish a deeper foothold. The environment was contained, remediated, and hardened with no further impact beyond the initially compromised account. 

Caught at the Door: How Early SSL VPN Detection Stopped a Threat Actor Before Lateral Movement Began 

This incident tells a more complex story, one that highlights not just the speed of modern intrusions, but the persistence and organizational structure behind them. 

Blackpoint SIEM detection logic flagged a threat actor successfully authenticating into a client environment through a compromised VPN account. The authentication originated from infrastructure hosted by BulletProof Hosting, a provider with a well-documented reputation for harboring malicious activity and serving as a preferred hosting environment for threat actors conducting credential-based intrusions. While the threat actor did attempt to mount file shares within the environment, the Blackpoint SOC quickly identified and notified the client, containing the intrusion before it could progress into a full lateral movement campaign. 

At the center of this incident is a reality that every organization must confront. Stolen credentials are not a one-time problem. Once a user’s identity has been compromised, that access does not disappear. It circulates, gets reused, and becomes a persistent liability until it is fully contained and remediated. A compromised VPN account is not just an unauthorized login. It is a stolen identity being weaponized against your business. 

Thirteen days later, reality materialized. A second intrusion targeting the same environment occurred, this time through a different user account originating from a similar sourcing subnet. The pattern was unmistakable. This was not a coincidence. It was a deliberate follow-on attempt, a clear signal that the threat actors behind both intrusions were operating with intent and patience.

Once again, the Blackpoint’s SIEM detections flagged the suspicious authentication before the intrusion could take hold. The compromised on-premises account was disabled, the client was notified, and the environment was contained before the intrusion could progress beyond the initial authentication. No further impact was observed outside of the two compromised VPN accounts. 

What this case study makes clear is that a single compromised credential is rarely the full story. Organizations that experience one SSL VPN breach should treat it as a strong signal that their credentials may already be circulating in threat actor communities, and that a second attempt is not a matter of if, but when. 

Defense Takeaways and Recommendations 

• Treat VPN Access as a Critical Security Boundary: SSL VPN is no longer just a remote work convenience. It is a primary attack surface that requires the same level of scrutiny and investment as any other critical business system. 

• Assume Credentials Will Be Compromised: No password policy is foolproof. Businesses should operate under the assumption that credential compromise is a matter of when, not if, and ensure the right detection capabilities are in place to catch misuse the moment it occurs. 

• Speed of Detection is a Business Continuity Decision: The faster a threat is identified at the point of entry, the less damage it can do. Investing in a SOC with real-time SSL VPN visibility directly reduces the risk of a minor intrusion escalating into a full ransomware event. 

• Enrich Authentication Events with Threat Intelligence: Raw login data alone is not enough. Enriching authentication events with IP reputation, geolocation, and known malicious infrastructure gives analysts the context needed to separate legitimate access from malicious entry. 

• Do Not Wait for Lateral Movement to Trigger an Alert: By the time lateral movement is detected, the attacker may already be at the Domain Controller. Push your detection boundary back to the authentication layer, so you are responding to the entry, not the aftermath. 

• Validate and Audit VPN User Accounts Regularly: Dormant accounts, former employee credentials, and over-permissioned users are low-hanging fruit for threat actors. Regular access reviews reduce the attack surface before it can be exploited. 

Concluding Thoughts 

Stopping modern intrusions requires getting ahead of them, and that starts with visibility at the front door. The ability to detect and flag malicious SSL VPN authentications through SIEM represents a decisive shift in how early the Blackpoint SOC can intervene. When combined with the SOC’s existing lateral movement detection capabilities, this creates a layered defense that shrinks the attacker’s window of opportunity at every step of the chain.  

For business leaders, the takeaway is straightforward. The entry point matters as much as what happens after it. A single compromised VPN account is all it takes to set off a chain of events that can result in data theft, operational disruption, and significant financial damage. Detecting that compromised account at the authentication layer, before lateral movement ever begins, is what separates a contained incident from a catastrophic one. 

Blackpoint’s continued investment in SSL VPN visibility and SIEM detection reflects a commitment to staying one step ahead of threat actors, so our partners never have to face the consequences of being one step behind.