Spam Campaign Abuses Atlassian Jira to Evade Security Controls and Target Organizations

A recent security analysis from Trend Micro reveals a novel spam campaign that leverages the legitimate Atlassian Jira Cloud platform to deliver spam and phishing content at scale. By abusing trusted SaaS workflows, this attack demonstrates how threat actors can weaponize widely-used enterprise tools to bypass traditional email security and deceive recipients.

How the Campaign Operates

Rather than sending spam from suspicious third-party domains that are easily flagged by filters, the attackers abuse Jira’s own email notification system. They automatically generate Jira issues and trigger notification emails from Atlassian’s infrastructure — emails that recipients and security systems normally trust. Because these messages originate from Atlassian’s reputable domain and infrastructure, they often evade standard spam and authentication checks such as SPF, DKIM, and DMARC.

The campaign is designed with several key attributes:

Exploitation of Trusted Infrastructure: Emails appear to come from Atlassian’s official servers, making them appear legitimate to both users and automated filters.
Automated Targeting: Threat actors automatically generated issues that triggered notification emails to crafted target lists. These lists often include domains of organizations known to be using Jira.
Multilingual Localisation: Subject lines and email content were tailored to multiple languages — including English, French, German, Italian, Portuguese, and Russian — increasing their effectiveness across global audiences.

How Recipients Are Enticed

Spam messages often use familiar templates typical of Jira activity notifications — such as invitations to projects, issue assignments, or collaboration alerts. Instead of taking users to a real Jira interface, however, malicious links redirect through a Traffic Distribution System (TDS) (e.g., Keitaro) that eventually guides victims to external scam landing pages. The final destinations range from:

Dubious investment or cryptocurrency schemes
Online casino or gambling offers
Other fraudulent services designed to harvest personal or financial information

This redirection chain adds a layer of complexity that also helps evade automated scanning and bot-based analysis, ensuring only real users reach the scam content.

Targeting Strategy and Impact

Trend Micro’s research indicates that the threat actors specifically sought out organizations with a high rate of Jira usage, knowing that employees would be conditioned to trust Jira notifications. This means that:

Government agencies and corporate entities may be at particular risk.
High-email-volume environments that regularly interact with collaboration tools are more likely to see success by attackers.

By exploiting the trust placed in SaaS cloud platforms, this campaign highlights a broader shift in tactics where attackers use legitimate enterprise services as vectors for abuse — increasing both the difficulty of detection and the likelihood of user interaction.

Security and Mitigation Measures

Given the sophistication of this campaign, organizations should consider layered defences that go beyond traditional anti-spam filters:

Advanced Email Security Tools: Deploy solutions capable of analyzing context and behaviour, not just authentication headers.
User Awareness Training: Educate users about the risk of unexpected Jira notifications, even if they appear to come from legitimate sources.
Monitoring of SaaS Activity: Implement security monitoring and anomaly detection for SaaS platforms to track unusual issue creation or automated ticket generation.
Traffic Inspection and URL Filtering: Utilize security tools that inspect redirected URLs and block known malicious landing pages.

Furthermore, reporting suspicious Jira notifications to Atlassian’s abuse mechanisms can help disrupt ongoing campaigns, although effectiveness depends on timely action.

Conclusion

This campaign marks a pivotal example of how threat actors are increasingly creative in abusing trusted enterprise services to propagate spam and phishing at scale. By turning a collaborative product like Jira into a delivery mechanism for malicious content, the attackers subvert both user trust and standard security controls. Organizations must adapt by implementing multi-layered defences, enhancing user education, and monitoring SaaS workflows more closely to detect and respond to such abuse.