Phishers Exploit GitHub and Jira Email Systems
▼ Summary
– Attackers are abusing the notification systems of trusted SaaS platforms like GitHub and Jira to send phishing and spam emails.
– These emails bypass standard email security checks because they are sent from the platforms’ own authenticated infrastructure.
– On GitHub, attackers push commits to existing projects to trigger automatic notifications, hiding malicious links in the commit description field.
– On Jira, attackers use the “Invite Customers” feature to embed scam content into system-generated, professionally formatted notification emails.
– These attacks exploit the inherent trust in these platforms’ communications, making the malicious emails less likely to be blocked by security gateways.
A new wave of sophisticated phishing campaigns is leveraging the trusted notification systems of major software development platforms. Cisco Talos researchers have identified a concerning trend where attackers are abusing the legitimate email infrastructure of services like GitHub and Jira to distribute malicious content. This method effectively bypasses traditional email security filters, as the messages originate from the platforms’ own verified domains and pass all standard email authentication checks like SPF, DKIM, and DMARC.
The core of the attack lies in decoupling malicious intent from technical infrastructure. By using the platforms’ automated notification features, adversaries can deliver phishing lures with what appears to be a seal of approval from a trusted source. Most security gateways are not configured to scrutinize these legitimate-looking transactional emails, allowing the malicious content to reach inboxes unchallenged.
On GitHub, the abuse centers on the platform’s collaborative notification system. Attackers gain access to an existing repository and push a new commit. This action automatically triggers email alerts to all project collaborators. The content of these notifications is generated by GitHub’s own systems, so it avoids raising security flags. The attackers exploit the two text fields provided when creating a commit. They place an attention-grabbing, benign-looking summary in the short title field. The actual malicious payload, such as fake billing alerts or phishing links, is then embedded within the longer description field that appears in the email body. Researchers noted that on one peak day, nearly 2.89 percent of all emails sent from GitHub were linked to this form of abuse.
The Jira exploitation follows a similar principle but uses a different feature. Attackers create a new Jira Service Management project with a legitimate-sounding name. They then input their phishing content, such as a fabricated security alert, into fields like the Welcome Message or Project Description. The critical step involves using Jira’s built-in Invite Customers function. By entering target email addresses, the attackers trigger Atlassian’s backend to assemble a notification. The system injects the attacker-provided content into its own trusted email template, resulting in a professionally formatted “Service Desk” notification complete with official Atlassian branding.
Because the final email is constructed from cryptographically signed templates within Atlassian’s infrastructure, it is highly unlikely to be flagged by standard email security solutions. Furthermore, Jira notifications are commonplace and expected in corporate environments, making them even less likely to be blocked or treated with suspicion. This technique allows threat actors to place malicious links and text directly into system-generated emails that recipients are primed to trust.
(Source: Help Net Security)
