Cybercriminals have discovered a new way to bypass traditional security measures by exploiting the notification features of trusted platforms like GitHub and Jira. These platforms, commonly used by developers and IT teams, are being manipulated to send phishing emails directly from their legitimate servers, making detection much more challenging.
Unveiling the Threat: How Phishing Leveraged SaaS Platforms
This new phishing tactic is notably dangerous due to its simplicity. Unlike typical phishing attempts that rely on fake sender addresses or domains, these emails are sent from verified GitHub and Jira servers. This means they meet all standard email authentication protocols such as SPF, DKIM, and DMARC, which often prevents security systems from flagging them as threats.
According to Cisco Talos, which published its findings on April 7, 2026, such attacks reached a peak on February 17, 2026, with approximately 2.89% of emails from GitHub’s infrastructure being linked to this abuse. Over a five-day period, 1.20% of emails from ‘[email protected]’ contained a misleading ‘invoice’ subject line.
Methods of Exploitation: GitHub and Jira Tactics
Cybercriminals employ what is known as the Platform-as-a-Proxy (PaaP) model. They do not need to hack into the platforms but rather utilize existing features like repository commits and project invitations to disseminate malicious content. These platforms inherently provide verified signatures and trusted branding, aiding in the attack’s legitimacy.
On GitHub, the process begins with creating a repository where attackers push commits filled with social engineering hooks. These hooks often appear as urgent billing alerts or fake invoices. When collaborators receive these notifications, they may be tricked into following links that lead to credential theft.
Jira is exploited through its Service Management projects. Attackers craft projects with deceptive names and embed phishing content in the welcome or project description fields. Invitations sent through Atlassian’s system appear legitimate, wrapping the malicious content in the platform’s standard templates.
Defensive Measures and Recommendations
To combat these threats, Cisco Talos suggests that organizations should not automatically trust emails from SaaS platforms. Security teams are advised to monitor GitHub and Jira API logs using SIEM or SOAR systems to detect suspicious activities, such as unusual project creation or mass invitations. Emails with financial or urgent content should be scrutinized, as they are inconsistent with these platforms’ intended uses.
For secure interactions, users should directly access official platform portals rather than clicking on links in notifications. Additionally, organizations should automate reports to platform Trust and Safety teams to deter attackers by increasing their operational costs.
By implementing these practices, businesses can better protect themselves against phishing threats that exploit trusted SaaS channels.
