Researchers from Cisco Talos have identified that attackers are taking advantage of the notification systems provided by SaaS platforms like GitHub and Jira to distribute phishing and spam emails.
They emphasize that since these emails are sent from the platforms' own infrastructure, they meet all standard authentication protocols including SPF, DKIM, and DMARC, which effectively bypasses the main defenses of contemporary email security.
“By separating the malicious intent from the technical infrastructure, attackers are able to deliver phishing content with a 'seal of approval' that few security gateways are prepared to challenge,†they remarked.
Exploitation of GitHub
Attackers are manipulating GitHub's notification system to send out harmful payloads.
GitHub automatically notifies collaborators of activity within repositories, so when an attacker pushes a commit to an existing project, all collaborators receive an automatic email notification. “Since the content is generated by the platform itself, it avoids triggering any security alerts,†the researchers explained.
The message body includes two text fields when users create a commit: a brief summary and a more detailed description.
The brief summary is prominently displayed in the notification emails, enabling attackers to craft a convincing message that captures attention. The main phishing content, such as fraudulent billing information or phishing links, is hidden in the longer description.
On a single peak day, around 2.89% of GitHub's outgoing emails were associated with this type of exploitation, as noted in the Timeline of GitHub.
Exploitation of Jira
Rather than relying on repository activity for notifications, attackers utilize the “Invite Customers†feature in Jira to send phishing emails that evade email security measures.
They create a Jira account, set up a new Service Management project with a seemingly legitimate name, and insert their malicious content (like a fake alert) into the Welcome Message or Project Description field.
Next, they leverage Jira’s Invite Customers feature, input the victims’ email addresses, and Atlassian’s backend compiles the email by incorporating the attacker’s input into its own trusted template. This results in a well-formatted “Service Desk†notification complete with Atlassian’s branding footer.
By embedding malicious content in areas such as the welcome message or project description, it automatically appears in system-generated emails.
Since these malicious messages are sent within Atlassian’s cryptographically signed templates, they are less likely to be flagged by email security solutions. Additionally, as noted by Cisco Talos, Jira notifications are anticipated in corporate settings (including by employees) and are seldom blocked.
