Over the past few weeks we've watched account compromise attacks climb sharply across the clients we protect. The pattern that worries us most is device-based credential flow — attackers abusing the sign-in mechanism that's meant to let you log a phone or a smart TV into an account without typing a password on the device itself. It's a legitimate feature. Attackers have worked out how to turn it against people.
So we've changed our posture. From now on, we treat every international sign-in as a potential risk until we have reason to think otherwise.
What's actually changed
It used to be that an overseas login was one signal among several. We'd weigh it up. Now it's closer to a default suspicion. If a sign-in lands from outside Australia, we treat it as something to investigate rather than something to wave through.
The same goes for VPNs. Any consumer VPN — including the ones quietly bundled into antivirus and security suites that most people don't even know are running — masks where a login really came from. Once the origin is hidden, we can't tell your genuine sign-in apart from an attacker holding your password. That hidden origin is exactly the signal we rely on, so anything that masks it is now a concern by default.
And it's broader than just "overseas" or "VPN." Anything that looks odd — an unusual pattern, an unexpected method, a sign-in that doesn't fit how you normally work — is now something we'd rather stop and ask about than let slide.
Why we're being blunt about the trade-off
Here's the part we want to be straight with you on.
We aren't promising to catch everything. No security control does, and any provider who tells you otherwise is selling you something. This change tilts us toward stopping suspicious sign-ins by default — but a determined attacker who looks exactly like you, signing in from down the road, is a genuinely hard problem.
This doesn't replace your own vigilance either. The strongest layer in any of this is still a person who notices the login alert that wasn't them, the MFA prompt they didn't trigger, the email that feels slightly off. We can block masked and unexpected origins all day. We can't sit inside your team's instincts. So keep flagging the odd thing. We'd far rather chase a false alarm than miss the real one.
And — this matters — Australian traffic can be bad too. A login from Sydney isn't innocent just because it's local. Geography is a useful signal, not a verdict. We're sharpening how we treat international and masked sign-ins because that's where the volume is right now, not because we think the threat politely stays offshore.
What this means if you're on Huntress ITDR
If we manage your Huntress Identity Threat Detection and Response, you'll notice us following up more often, and faster.
When Huntress flags a sign-in that fits the risk pattern — an unexpected country, a consumer VPN, something that just doesn't sit right — we'll reach out to confirm whether it was you. If it wasn't, we act. If it was, we note it as expected and move on. Either way you'll hear from us, and either way it gets logged.
Every block we put in place is reversible. We're not locking anyone out for good. If a flagged sign-in turns out to be legitimate — you were travelling, you use a particular VPN for a real reason — you reply, we adjust the rule, and that becomes a deliberate, recorded exception. The point isn't to make your life harder. It's to force a real decision instead of letting a masked login through on autopilot.
flowchart TD
A[Sign-in detected by Huntress ITDR] --> B{Origin clear and expected?}
B -->|Yes| C[Allowed - no action]
B -->|International, VPN, or odd| D[Treated as potential risk]
D --> E[We follow up with you]
E --> F{Was it you?}
F -->|Yes| G[Logged as expected exception<br/>Rule adjusted]
F -->|No| H[Blocked going forward<br/>Account secured]
classDef risk fill:#CF232C,stroke:#CF232C,color:#fff
classDef safe fill:#1E2328,stroke:#1E2328,color:#fff
class D,H risk
class C,G safe
The short version
Account takeover attempts are up, device-based credential abuse especially. We've responded by treating international sign-ins, VPN-masked sign-ins, and anything genuinely unusual as a risk to check rather than a login to trust. We won't catch everything, your vigilance still matters, and bad sign-ins can come from Australia too. But if something's hiding where it came from, we'd rather stop it and ask.
If you're on Huntress ITDR with us, expect to hear from us when something looks off — and expect us to undo it just as quickly when it turns out to be you.
Questions about how this affects your team, or want a particular VPN allowed for a real business reason? Talk to us on 1300 798 718.
How we can help
More from the blog
Whose iPhone Is It, Really? Managed vs Personal Apple Accounts for Growing Businesses
22 Jun 2026
Mixing personal and managed Apple Accounts on business devices creates real headaches when staff leave. Understanding how they work together gives you proper control over …
Read more
How Safe Is Your Club, Really? A Ten-Minute Cyber Health Check
19 Jun 2026
Free cyber health check built for small clubs, committees, and community organisations — not IT departments. Ten minutes, plain English, and an honest picture of …
Read more
"FortiBleed" and Your Fortinet Firewall: Where Real World Customers Stand
18 Jun 2026
If RWTS manages your Fortinet devices, you're not affected by FortiBleed. We've checked every device we manage against the breach data and confirmed none of …
Read more