Phishing Campaign Abuses GitHub, Jira Notifications to Bypass Security
Key Takeaways Cybercriminals are leveraging legitimate notification features within GitHub and Jira to distribute highly convincing phishing emails. These malicious emails originate from the...
Key Takeaways
- Cybercriminals are leveraging legitimate notification features within GitHub and Jira to distribute highly convincing phishing emails.
- These malicious emails originate from the authentic infrastructure of GitHub and Atlassian, bypassing standard email security protocols like SPF, DKIM, and DMARC.
- The primary objective of these attacks is credential harvesting, leading to potential account takeovers and broader network compromises.
- Cisco Talos researchers identified this technique, dubbed “Platform-as-a-Proxy (PaaP),” noting a significant volume of abuse on specific dates.
- Defenders must implement stricter verification processes for SaaS platform emails and integrate API audit logs for proactive threat detection.
Attackers Exploit Trusted GitHub and Jira Notifications to Launch Sophisticated Phishing Campaigns
A new and alarming phishing campaign is exploiting the inherent trust placed in widely used development and IT management tools, GitHub and Jira. Threat actors are manipulating the automated notification systems of these platforms to send highly credible phishing emails that originate directly from the vendors’ own servers, effectively sidestepping conventional email security measures. This sophisticated tactic was recently detailed in a comprehensive report by Cisco Talos.
Table Of Content
The efficacy of this campaign lies in its deceptive simplicity. Unlike traditional phishing attempts that rely on spoofed sender addresses or meticulously crafted lookalike domains, which are often flagged by security tools, these malicious messages emanate from verified infrastructure. Emails appear to come from legitimate servers belonging to GitHub and Atlassian, the company behind Jira.
Because these messages adhere to all standard email authentication protocols, including SPF, DKIM, and DMARC, most security gateways lack the technical criteria to block them. This grants attackers an unprecedented level of legitimacy, making their phishing lures significantly harder for both automated systems and human recipients to detect as fraudulent.
Cisco Talos analysts have been actively monitoring this evolving threat, publishing their findings on April 7, 2026. Their research indicates a peak in malicious activity on February 17, 2026, when approximately 2.89% of all emails originating from GitHub’s infrastructure were linked to this abuse. Over a five-day period, roughly 1.20% of traffic from the “[email protected]” address contained an “invoice” lure in the subject line.
Talos researchers have coined the term “Platform-as-a-Proxy (PaaP) model” to describe this method. It is crucial to note that attackers do not need to compromise any systems or breach the security of these platforms. Instead, they leverage existing, legitimate features—such as repository commits or project invitations—as conduits to inject and deliver malicious content. The platforms themselves then handle the delivery, complete with their verified digital signatures and trusted branding, inadvertently lending credibility to the phishing attempts.
The ultimate goal in nearly all observed instances of this campaign is credential harvesting. Victims are enticed to click on deceptive links disguised as urgent billing alerts, fraudulent support contact numbers, or misleading account warnings. Once users submit their login credentials on these fake pages, attackers gain an unauthorized entry point, which can rapidly escalate to account takeovers, unauthorized access to sensitive data, and broader network compromise.
How the Attack Works: GitHub and Jira Notification Pipelines
The two platforms are exploited through distinct, yet equally effective, mechanisms:
GitHub Exploitation
On GitHub, the attack initiates with the creation of a new repository. The attacker then pushes a commit, meticulously crafting the commit message fields with social engineering content. GitHub’s commit interface provides two primary text areas: a mandatory short summary line and a longer, optional description field. Attackers strategically place an urgent call-to-action, such as a fake invoice or billing alert, in the summary. The extended description is then populated with the full scam message, including fraudulent phone numbers or malicious links.
Upon submission of this commit, GitHub’s automated system dispatches a notification email to all associated collaborators. This notification email embeds the complete malicious message within its body. The resulting email appears as a standard GitHub notification, complete with legitimate headers. Analysis of the raw email headers confirms the sending server as “out-28.smtp.github.com,” a valid GitHub mail server with the IP address “192.30.252.211.” Furthermore, the DKIM signature correctly identifies “d=github.com” and passes all authentication checks without triggering any security flags.
Jira Exploitation
The approach for Jira differs slightly. Attackers create a Jira Service Management project, assigning it a deceptive name like “Argenta.” They then embed their phishing message within the “Welcome Message” or “Project Description” fields of this project. Utilizing the “Invite Customers” feature, the attacker submits the target’s email address. Atlassian’s backend subsequently generates an automated invitation email, seamlessly incorporating the attacker’s malicious content into its own signed and branded template. The email arrives appearing as an official Jira system notification, complete with Atlassian’s recognizable branding footer, further enhancing its perceived legitimacy.
What You Should Do
- Verify Sender Identity Beyond Basic Checks: Do not solely rely on SPF, DKIM, or DMARC passes for emails from SaaS platforms. These attacks demonstrate that even legitimate sending infrastructure can be abused.
- Implement API Log Monitoring: Integrate GitHub and Atlassian API audit logs into your Security Information and Event Management (SIEM) or Security Orchestration, Automation, and Response (SOAR) systems. Configure alerts for unusual activities, such as mass user invitations, rapid project creation from untrusted locations, or changes in repository settings, before any phishing emails are sent.
- Educate Users on Contextual Anomalies: Train employees to be suspicious of any email from GitHub, Jira, or similar platforms that contains financial requests, urgent payment demands, or unexpected account warnings. These platforms are not typically used for direct billing or critical financial notifications.
- Direct Navigation for Sensitive Actions: Advise users to navigate directly to the official GitHub or Jira portal by typing the URL into their browser for any sensitive actions, rather than clicking on links embedded in notification emails.
- Report and Automate Takedowns: Establish a process for quickly reporting suspicious activity and phishing attempts to the Trust and Safety teams of GitHub and Atlassian. Automating these reports can increase the operational cost for attackers, making such campaigns less viable.
- Enhance Endpoint Protection: Ensure robust endpoint detection and response (EDR) solutions are in place to catch any malicious payloads or post-exploitation activities that might occur if a user falls victim to credential harvesting.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.