Cybercriminals are leveraging Atlassian Cloud to orchestrate a sophisticated spam campaign targeting high-value entities. By exploiting legitimate features in the platform, attackers bypass conventional email security measures, directing users to fraudulent investment schemes.
Targeted Attacks Across Multiple Regions
This malicious campaign specifically targets government and corporate sectors in various linguistic regions such as English, French, and German. The emails are carefully tailored to these language groups, aiming to mislead recipients into visiting deceptive landing pages via Keitaro TDS, ultimately generating revenue through scams and illicit advertising.
Exploiting Trusted Infrastructure
Research from Trend Micro indicates that the campaign gained momentum between late December 2025 and January 2026. By utilizing reputable cloud services, the attackers ensure their emails pass authentication checks like Sender Policy Framework and DomainKeys Identified Mail, making detection challenging for traditional security filters that trust notifications from established SaaS platforms.
The campaign’s automation allows for rapid scaling, with multiple Atlassian instances created to distribute messages. This ensures continuity even if some instances are blocked, showcasing the adaptability and resourcefulness of modern cybercriminals.
Abusing Legitimate Features for Malicious Intent
The attackers’ strategy involves establishing disposable infrastructure through Atlassian Cloud accounts created with randomized names, enabling numerous Jira Cloud instances without domain verification. These instances utilize AWS IP addresses of legitimate deployments, further obscuring the malicious activity.
Using Jira Automation, attackers craft and send emails through Atlassian’s system, bypassing the need for personal mail servers. This allows for widespread message distribution without revealing the attackers’ identities or infrastructure.
Organizations must reevaluate their trust in third-party cloud-generated emails to prevent such abuses. Deploying advanced email security solutions and monitoring for indicators of compromise can help mitigate these threats. Security teams are encouraged to implement layered detection and identity-aware controls to better identify and block phishing attempts that exploit trusted platforms.
